Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static PAT entry blocking Branch site from accessing resource on same port. How to get around this?

Hello, I have a UC560 and UC540 connected using an IPSec Site to Site tunnel.


There is a server on the main site they are trying to access (lets say IP is and they need to access this server on ports 13000, 14000, and 15000.


Unfortunately, since there are users from the internet and other places that need to access this server on these ports, these static pat entries are in the server (Lets say is the WAN IP):

ip nat inside source static tcp 13000 13000 extendable
ip nat inside source static tcp 14000 14000 extendable
ip nat inside source static tcp 15000 15000 extendable



The users in the branch site that is connected via VPN can reach this server on all TCP ports(RDP, http, etc) so that's not the issue. When I remove these nat statements, the VPN users can access the resource via that port (I.e telnet 13000 ) whereas they are shut down and connection fails if the static pat entries are in there.

I need to have outside users and VPN users be able to access this server whether they are coming in across the VPN goin to or coming in from the internet on


Is there a way around this other than forcing the VPN users to access this server via the WAN IP for these ports? And does anyone know the logic behind this? I'm curious. From what I've seen in other cases, this is expected behavior, I'd just like a better understanding of it.


Any help on this would be GREATLY appreciated! Thank you


New Member

I hope I explained this

I hope I explained this properly. If not, please let me know!



CreatePlease login to create content