Showing results for 
Search instead for 
Did you mean: 

Static NAT not working with EZVPN Server

Level 1
Level 1

I have configured an EZVPN Server on a router and everything seems to work fine with the exception of static NAT.

I am using a static IP address to access a web camera and want this to be publically accessable so I have configured a static NAT statement like this:

ip nat inside source static tcp 80 interface Dialer1 8080

This line should convert any IP address arriving at the (dynamically addressed) dialer 1 interface with a TCP Port of 8080 to address with a TCP Port of 80 but it does not work.

Furthermore I cannot access the web camera using a local address on a VPN Client using port 80 but if I remove the line from the configuration then it works from the VPN Client but obviously not from the Internet.

Is this a limitation of running a VPN Server on a router that is assigned an ip address dynamically.

Does anyone have any idea on how to run a VPN Server and static NAT at the same time?

Router config attached.

Thanks in advance

4 Replies 4

Cisco Employee
Cisco Employee

On the static PAT, you need a route-map configured similar to how you have it for the PAT you have. For the VPN, what will happen is that the traffic will get statically PAT'd back to 8080, based on the line that you have.

Also, I am assuming that is pointing to the router as its default gateway.


PS. If you found this post helpful, please rate it.

Thanks for the quick reply. I did try that before but it will not let me create a route-map with an interface command.

I think I need to enter a command like this:

ip nat inside source static interface dialer 1 route-map TEST

But there is no option for a route-map after using an interface for the inside global.

Yes that is correct, the camera has a default-gateway of

Thats right. It won't allow you put in the route-map with the interface command - only if you use IP. Is it possible to try that, and see if that allows it to work? Using the current IP you have?

Level 1
Level 1

I've looked at using a route map and come up with this, does it look correct? I haven't tried it yet because the last attempt at a route-map locked me out of the router from the internet and I forgort to do a scheduled reload before I configured it.

The ISP address always starts with 79.x.x.x and the camera is on

ip nat inside source route-map TEST interface dialer 1

route-map TEST permit 10

match ip address 113

set ip next-hop

access-list 113 permit tcp -eq 80 any

Will I also have to configure a routemap for UDP Port 4500 so that the VPN Client works?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: