Showing results for 
Search instead for 
Did you mean: 

Static public to private route not returning to source

Hello all,

First thing is my apology for making this so long but wanted to cover all the bases.

I currently use a Cisco 1800 router for VPN to my vendor. The vendor initiates the tunnel using interesting traffic with a specific port. This is where it gets confusing. They establish the tunnel from their peer IP to my outside FE0/1 interface by sending a packet to second public IP. I use static routing that maps the second public IP to the private IP of my host server (runs a communication application) through my FE0/0 interface.

When we test both phases of the tunnel come up and I see where the second public IP is translated. My application accepts the connection through the port. The issue is when my application tries to send the acknowledgement back it fails. Its as though the app doesn't know how to get the response back to the router and out the VPN tunnel. My vendor sees the application start then it immediately terminates. I'm not sure if the problem is with my router configuration or something on their end. The problem is not VPN related but something with routing

Application Server IP -

FE0/0 -

FE0/1 -

Vendor VPN Peer IP -

Vendor Host IP -

My Host IP -

Here is a brief excerpt from my config

First the interfaces:

interface FastEthernet0/0

 ip address

 ip nat inside

interface FastEthernet0/1

  ip address

 ip access-group 101 in

 ip access-group 102 out

 ip nat outside

 crypto map xxx

My Crypto Map

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 5

 lifetime 28800

crypto isakmp key xxx address

crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac

crypto map xxx 1 ipsec-isakmp

 description Encrypted Tunnel to

 set peer

 set transform-set VPN

 match address 100

The access-list:

access-list 100 Remark Traffic through VPN Tunnel

access-list 100 permit tcp host host

access-list 101 Remark Allowed Traffic IN FE/1

access-list 101 permit tcp host any

access-list 101 permit ip host any

access-list 102 Remark Allowed Traffic OUT FE/1

access-list 102 permit tcp any host

access-list 102 permit ip any host

access-list 103 Remark Route-Map NoNat Allowed Traffic

access-list 103 deny   ip host host 206.x.x.x

access-list 103 permit tcp host any

access-list 103 permit tcp host any

route-map nonat permit 10

 match ip address 103

The Static routes:

ip classless

ip route (This is my default gateway from my ISP)

ip route

ip route

My NAT commands:

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip nat inside source static tcp 1234 1234 extendable


Appreciate any help here. Am I doing something wrong or trying to find a needle in a haystack?




CreatePlease to create content
Content for Community-Ad