Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSEC VPN with static NAT

So, I am trying to figure out how to make this VPN work with static nat. I read the instructions here:

But when I try to do the same, I have issues. The VPN I have setup works just fine, but because I have another computer with port 22 NATed from the outside interface, The VPN users cannot reach that computer through that port. The instructions provide this line:

ip nat inside source static route-map nonat

and the line I have is this:

ip nat inside source static tcp 22 interface Cable-Modem0/0/0 22

The problem I have is that since I have the interface Cable-Modem0/0/0, I cannot add the route-map <name> option. I cannot change the interface portion due to the fact that it is assigned a dynamic ip. Could someone point me in the right direction to figuring this out?



Everyone's tags (6)
Community Member

Re: IPSEC VPN with static NAT

Nevermind. I seem to have fixed it. Here is what I did:

I used the trick that is used to forward a range of ports into the network. First, I started out by creating a NAT pool:

ip nat pool 192.168.1.x 192.168.1.x netmask type rotary

Were "x" is the same number and equal to the inside computer you wish to forward ports to. I then created an extended access-list:

ip access-list extended

deny   ip any

permit tcp any any eq 22

permit tcp any any eq www

Where the is the subnet of the VPN and the following permits are the ports you wish to forward. Next, the command that ties these together:

ip nat inside destination list pool

Then I just removed these commands:

ip nat inside source static tcp 192.168.1.x 22 interface Cable-Modem0/0/0 22

ip nat inside source static tcp 192.168.1.x 80 interface Cable-Modem0/0/0 80

Now the ports can be accessed from both outside the network as well as from the VPN.

I hope this helps someone!



Cisco Employee

Re: IPSEC VPN with static NAT


thanks for the follow-up. I'm just not sure I understand how you can still access port 22 from outside the vpn tunnel.

If I understand correctly, you no longer specify that Cable-Modem0/0/0 port 22 needs to be translated to 192.168.1.x port 22 ?


CreatePlease to create content