cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
682
Views
0
Helpful
4
Replies

Static NAT not working with EZVPN Server

chris-hart
Level 1
Level 1

I have configured an EZVPN Server on a router and everything seems to work fine with the exception of static NAT.

I am using a static IP address to access a web camera and want this to be publically accessable so I have configured a static NAT statement like this:

ip nat inside source static tcp 192.168.100.10 80 interface Dialer1 8080

This line should convert any IP address arriving at the (dynamically addressed) dialer 1 interface with a TCP Port of 8080 to address 192.168.100.10 with a TCP Port of 80 but it does not work.

Furthermore I cannot access the web camera using a local address on a VPN Client using port 80 but if I remove the line from the configuration then it works from the VPN Client but obviously not from the Internet.

Is this a limitation of running a VPN Server on a router that is assigned an ip address dynamically.

Does anyone have any idea on how to run a VPN Server and static NAT at the same time?

Router config attached.

Thanks in advance

4 Replies 4

auraza
Cisco Employee
Cisco Employee

On the static PAT, you need a route-map configured similar to how you have it for the PAT you have. For the VPN, what will happen is that the traffic will get statically PAT'd back to 8080, based on the line that you have.

Also, I am assuming that 192.68.100.10 is pointing to the router as its default gateway.

-aun.

PS. If you found this post helpful, please rate it.

Thanks for the quick reply. I did try that before but it will not let me create a route-map with an interface command.

I think I need to enter a command like this:

ip nat inside source static 192.168.100.10 interface dialer 1 route-map TEST

But there is no option for a route-map after using an interface for the inside global.

Yes that is correct, the camera has a default-gateway of 192.168.100.254.

Thats right. It won't allow you put in the route-map with the interface command - only if you use IP. Is it possible to try that, and see if that allows it to work? Using the current IP you have?

chris-hart
Level 1
Level 1

I've looked at using a route map and come up with this, does it look correct? I haven't tried it yet because the last attempt at a route-map locked me out of the router from the internet and I forgort to do a scheduled reload before I configured it.

The ISP address always starts with 79.x.x.x and the camera is on 192.168.100.10

ip nat inside source route-map TEST interface dialer 1

route-map TEST permit 10

match ip address 113

set ip next-hop 192.168.100.10

access-list 113 permit tcp 79.0.0.0 0.255.255.255 -eq 80 any

Will I also have to configure a routemap for UDP Port 4500 so that the VPN Client works?