We help IT Professionals succeed at work.
Get Started

Cisco 2600 NAT Router servicing VPN clients  - NAT rule breaks VPN access.

Last Modified: 2012-05-05
See the attached config:
NAT works fine and VPN works fine until I add the following NAT statement:
ip nat inside source static tcp 12005 xxx.xxx.xxx.9 12005 extendable
What I need is for this port to be available either from the internet or from the VPN client.  Without the line, the VPN client can access the application, with the line the VPN client cannot access the application but the rest of the world can.  I need both to work.  This has not been a concern for the other ports so I have never noticed this until now.
I've gone over the config a dozen times, but I need a second set of eyes to help me figure this one out.  Thanks so much for any help sent this way!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ************
logging buffered 16000 debugging
no logging console guaranteed
no logging console
enable secret 5 ***************************************
enable password ***********************
memory-size iomem 25
clock timezone GMT -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
aaa authentication login userauthen group radius
aaa authorization network groupauthor local 
aaa session-id common
ip subnet-zero
ip domain name ******************.***
ip name-server xxx.xxx.xxx.104
ip name-server xxx.xxx.xxx.105
ip name-server
ip name-server
ip flow-cache timeout active 1
ip cef
ip audit po max-events 100
username ****************** password 0 ********
username VPN password 0 ****************
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local vpnpool
crypto isakmp client configuration group HCVPN
 key 6DC2CBB3AB466429
 domain ********.***
 pool vpnpool
 acl 110
crypto ipsec transform-set HCset esp-3des esp-sha-hmac 
crypto dynamic-map dynmap 10
 set transform-set HCset 
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
interface Ethernet0
 ip address
 ip nat inside
 ip route-cache flow
interface FastEthernet0
 ip address xxx.xxx.xxx.9
 ip nat outside
 ip route-cache flow
 speed auto
 crypto map clientmap
router eigrp 1
ip local pool vpnpool
ip nat inside source route-map nonat interface FastEthernet0 overload
ip nat inside source static tcp 514 xxx.xxx.xxx.9 514 extendable
ip nat inside source static udp 514 xxx.xxx.xxx.9 514 extendable
ip nat inside source static tcp 69 xxx.xxx.xxx.9 69 extendable
ip nat inside source static udp 69 xxx.xxx.xxx.9 69 extendable
ip nat inside source static tcp 8160 xxx.xxx.xxx.9 8160 extendable
ip nat inside source static tcp 5120 xxx.xxx.xxx.9 5120 extendable
ip nat inside source static tcp 12005 xxx.xxx.xxx.9 12005 extendable
ip classless
ip route xxx.xxx.xxx.1
no ip http server
no ip http secure-server
ip flow-export source FastEthernet0
ip flow-export destination xxx.xxx.xxx.122 2055
ip access-list extended Outbound
 permit icmp any any
 permit ip any any
logging history size 500
logging history emergencies
logging xxx.xxx.xxx.122
access-list 110 permit ip any
access-list 150 deny   ip
access-list 150 deny   ip
access-list 150 permit ip any
access-list 150 permit ip any
route-map nonat permit 10
 match ip address 150
snmp-server community WRHadmin7 RW
snmp-server community holland RO
snmp-server enable traps tty
radius-server host auth-port 1645 acct-port 1646 key ********
line con 0
 password ********
line aux 0
line vty 0 4
 password ********
ntp clock-period 17179988
ntp peer xxx.xxx.xxx.1
ntp server xxx.xxx.xxx.104
ntp server xxx.xxx.xxx.105

Open in new window

Watch Question
Top Expert 2009
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE