Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traffic Forwarding Issue

Hello ALL,

I have a VPN Concentrator behind my Cisco 2621xm router. The public interface ip on my concentrator is I can connect using the cisco VPN client when I issue my computer a 10.100.1.X ip address in the same subnet as the concentrator public interface ip however I cannot connect to my concentrator when I am on the public internet. The outside interface IP for the router is 24.99.x.x the inside interface ip for the router is which this interface is plugged into the same switch as my Concentrator public interface. What ports do I need open to forward the traffic from my outside 24.99.x.x address from the internet to the address for the VPN Concetrator to allow my client software to connect to the concentrator. Do I need to configure some kind of nat address on the router to make this work?


Re: Traffic Forwarding Issue

You can try the following:

ip nat inside source static udp 500 24.99.x.x 500 extendable

ip nat inside source static udp 4500 24.99.x.x 4500 extendable

ip nat inside source static tcp 10000 24.99.x.x 10000 extendable

If you have an acl on the outside interface, you'll need to allow it through:

access-list 110 permit udp any 24.99.x.x eq 500

access-list 110 permit udp any 24.99.x.x eq 4500

access-list 110 permit tcp any 24.99.x.x eq 10000

You may not need 10000, but just in case your UDP doesn't work, you can use ipsec over tcp which uses 10000 by default. It depends on what your concentrator is using too though.

I also found this on Cisco's FAQ, but I couldn't get a direct link:

Q. If I place my VPN 3000 Concentrator behind a firewall or router running access control lists, which ports and protocols do I need to allow through?

A. This chart lists ports and protocols.

Service Protocol Number Source Port Destination Port

PPTP Control Connection 6 (TCP) 1023 1723

PPTP Tunnel Encapsulation 47 (GRE) N/A N/A

ISAKMP/IPSec Key Management 17 (UDP) 500 500

IPSec Tunnel Encapsulation 50 (ESP) N/A N/A

IPSec NAT Transparency 17 (UDP) 10000 (default) 10000 (default)



HTH, John *** Please rate all useful posts ***
New Member

Re: Traffic Forwarding Issue

What is extendable for in the nat statement?

Re: Traffic Forwarding Issue

It translates the port along with the ip address. (At least that's my understanding.) You can take the extendable keyword off and see if it still works.


It also allows for multiple global addresses to map to a single local address.



HTH, John *** Please rate all useful posts ***