Remote access VPN / NAT Problem

Hi Networkers,

Could someone advise what could be wrong.

Here is a scenario:

1. S0/0 is on the Internet (IP address A.B.C.D)

2. F0/0 is on LAN with IP On same subnet is mail server with IP

3. S0/0 is outside NAT interface and F0/0 is inside NAT interface. The S0/0 interface has static NAT redirection so that Internet users can send mail to exchange mail server

4. I configured a remote access vpn which is working for all protocols (ICMP, remote desktop, etc). The problem is connected VPN client PC cannot connect to mail server using outlook with the the static NAT port redirection there on router (IP NAT INSIDE SOURCE STATIC TCP 25 A.B.C.D 25).

5. When i remove this command (above) from router, VPN client PC connects to mail server at port 25 without a problem. Of-course, this would mean mail server will NOT receive mail hence the NAT static translation has to be there. Kindly advise workaround so that Internet users that connect via VPN can see all corporate LAN resources including the mail server

Here is pertinent configuration of the above



aaa new-model



aaa authentication login AUTHENTICATION local

aaa authorization network AUTHORIZATION local




no ip domain lookup


!!Below is the domain (not actual domain).

ip domain name


!Credentials for VPN user authentication

username user1 password user1



crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp client configuration group user1

key user1

pool vpn_users

acl 100





crypto ipsec transform-set vpn_transform esp-3des esp-sha-hmac


crypto dynamic-map DYNMAP 1

set transform-set vpn_transform



crypto map MAP client authentication list AUTHENTICATION

crypto map MAP isakmp authorization list AUTHORIZATION

crypto map MAP client configuration address respond

crypto map MAP 65535 ipsec-isakmp dynamic DYNMAP



interface FastEthernet0/0

encapsulation dot1Q 1 native

description LAN-Interface

ip address

ip nat inside



interface serial0/0

description WAN-Interface

ip address A.B.C.D

ip nat outside

crypto map MAP


!VPN users address pool

ip local pool vpn_users


!NOTE A.B.C.D is the WAN Internet IP address


ip nat inside source route-map NAT interface s0/0 overload

ip nat inside source static tcp 25 A.B.C.D 25 extendable



access-list 100 per ip any


!NAT access-list

access-list 101 deny ip

access-list 101 permit ip any


route-map NAT permit 1

match ip address 101



Do please take note that remote desktop, ICMP are all working okay (PC with VPN client can see corporate office LAN resources except mail server). The problem is only for services that are undergoing port redirection with an outside static NAT translation (ip nat inside source static) on the gateway router

Kindly help/advise??

Thank you


Sign In or Register to comment.