Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member


Alright, I know this question has been asked half a dozen times, but I want to throw another variable into play.

I have a Cisco 881 with a DHCP address on the WAN. The IP is static assigned to my MAC by the provider but my device has to be DHCP to get it.

So I only have 1 ip address allocated on this link.

I also have an IPSec site to site VPN tunnel on the 881 to a remote datacenter.

All of this if working normally. 


I have a Fonality phone system behind the 881 that needs UDP ports 10000-60000 NATed to it.

Ive used the below config and the UDP port forward works just fine. 



ip access-list extended UDP-RTP
 permit udp any host range 10001 60000

route-map VOIP-RTP permit 10
 match ip address UDP-RTP

ip nat inside source static X.X.X.X route-map VOIP-RTP


If you notice on the last command that you are not allowed to use a route-map on an interface so I had to type in the WAN ip address. 

With this config in place, the UDP ports forward and the RTP streams work great! However, when my tunnel goes to renegotiate or refresh, no go. It wont come back up. Further, my SSL VPN Client (not critical) on port 4343 doesnt connect either. 

So in essence, the UDP port forward breaks my IPSec tunnel.

Ive already requested more IPs to accommodate the Fonality because thats the right way, but itll take a few days to get em.

In the meantime, is there a way to do this?


Thank you 

Jason Ryan

Everyone's tags (1)