Showing results for 
Search instead for 
Did you mean: 

Re: IPSEC Tunnel only works one way

Gisueppe, Rick,


This is resolved.  It was as simple as changing the port.


Forgive the late reply but was awaiting the vendor side to make firewall change on their side and then test connection and confirm.


The takeaways here are:


1) I never stated at any point that the vendor was telneting to port 30001 -- this was a critical piece of information I omitted.


2) I had the idea that NAT port forwarding was concerned only with inbound connections, and only relevant to anything targeting the outside IP and port.  My assumption was that since they were targeting, the static NAT entry ip nat inside source static tcp 30001 30001 extendable would be ignored.  This turned out not to be the case for outbound traffic from inside to outside interface.


3) as Rick stated:

- packet capture on Gig0/0/0 should not see any traffic with your host source address or the telnet remote address. At the interface the telnet would be inside an encrypted ESP packet. I think packet capture on the vlan would be more productive.

This while true, was still helpful and revealing.  That we DID see traffic where we should NOT was a good indicator for where the problem was.


4) sh ip nat trans was similarly also very useful in that we should NOT have had entries for, but we did..


Thanks very much to you both for taking the time look at my configs and provide lots of expert insight.

Hall of Fame Expert

Re: IPSEC Tunnel only works one way

Hello James,

it was a very interesting issue.

I am happy we have found the only possible reason for the strange behaviour.

The show ip nat translations was the key to understand that the other side was attempting to telnet to port 30001 on and to explain the out of VPN packets.


Best Regards



CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards