I have a Cisco 1841 router.

I need to open PPTP (1723) and RDC (3389) so that I can access my servers from the outside.  I tried adding some NAT and ACL rules but it did not work.  This router is also connected to another office with a VPN which I think complicates the issue.

Should I create a new ACL or add some lines to an existing one?

I only have 1 public IP address and all other computers on my LAN use that IP through NAT.

I want to open PPTP to 192.168.33.33 on the LAN side.

I want to open RDC to 192.168.33.34 on the LAN side.

My configuration follows.

Current configuration : 11683 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname CCP-SF-1841RTR
!
boot-start-marker
boot-end-marker
!
logging buffered 214000
logging console critical
enable secret 5 $1$okzM$n4wbn
enable password 0p3
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
dot11 syslog
no ip cef
!
!
!
!
ip domain name yourdomain.com
ip name-server 66.106.1.196
ip name-server 66.106.7.196
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3401555634
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3401555634
revocation-check none
rsakeypair TP-self-signed-3401555634
!
!
crypto pki certificate chain TP-self-signed-3401555634
certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33343031 36303536 3334301E 170D3130 30323139 32323136
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65557469 66696361 74652D33 34303136
  30353633 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A4E4 C14C23CA FB6806EB 11519999 A7B58452 A66A67B9 D6C598E8 C26AEEDC
  DC20FEBF D97D5A32 11417F1E CCED11F1 284222E7 82AFA528 D57B50F2 70F79FF4
  917CD76C C24F0AB1 75FCC237 FD74F185 63F819C6 D8CAF0F6 D7A77FF6 C5397025
  309984A8 D782ACCE 69693832 FABE8B4A F78AEFE4 8A01EB34 67B8566D 4336A47E
  124F0203 010001A3 7D307B30 0F055355 1D130101 FF040530 030101FF 30280603
  551D1104 21301F82 1D434350 2D53462D 31383431 5254522E 796F7572 646F6D61
  696E2E63 6F6D301F 0603551D 23041830 1680149E 829E00CF 770E62C9 72005418
  5D4FF28D 6EEF7A30 1D060355 1D0E0416 04149E82 9E00CF77 0E62C972 0054185D
  4FF28D6E EF7A300D 06092A86 4886F70D 01010405 00038181 008D7B36 5906512F
  CDC56866 AB20F03C 0CE77235 7D68CFE4 087B8D59 3F9EB87F 4C48637C C4537912
  D4EAAF48 7D7C0D97 FEE28901 505B311F 16F82BF8 7A1DBF8B A65B3435 CB7452CE
  CD8D4AA1 30F476EA 1DF8AC7D 23F06260 95DB3CF9 F76EA562 4CFE9473 131AB895
  FDEB870E 4CC762CD 09E74698 E2592CCD 07518E19 45590530 90
        quit
!
!
username admin privilege 15 secret 5 $1$P
username pcppro privilege 15 secret 5 $1$O
username padmin privilege 15 secret 5 $1$.
archive
log config
  hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 3mb0 address 206.55.21.178 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map vpnmap 10 ipsec-isakmp
set peer 206.55.21.178
set transform-set ESP-3DES-SHA
match address 111
!
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 104
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-nat-http-1
match access-group 106
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 105
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 108
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-https-1
match access-group 107
match protocol https
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class type inspect SDM_WEBVPN_TRAFFIC
  inspect
class type inspect SDM_VPN_PT
  pass
class type inspect sdm-access
  inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zo
ne
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0/0
description SF Office Outside Interface$ETH-WAN$$FW_OUTSIDE$
ip address 206.156.82.102 255.255.255.252
ip nat outside
ip virtual-reassembly
zone-member security out-zone
speed 100
full-duplex
crypto map vpnmap
!
interface FastEthernet0/1
description SF Office Inside Interface$ES_LAN$$FW_INSIDE$
ip address 192.168.33.153 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
speed auto
full-duplex
!
ip local pool vpnpool1 67.110.245.1 67.110.245.2
ip local pool VPNClientPool 172.16.3.1 172.16.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 206.156.82.101
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static 192.168.33.200 67.10.245.11 route-map MAILSERVER
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_WEBVPN
remark SDM_ACL Category=1
permit tcp any any eq 443
!
no logging trap
access-list 100 deny   ip 192.168.33.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 192.168.33.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 206.156.82.100 0.0.0.3 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip 63.192.6.0 0.0.1.255 any
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip host 216.55.21.178 any
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip 10.10.10.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.33.200
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.33.200
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.33.200
access-list 108 remark SDM_ACL Category=128
access-list 108 permit ip any host 206.156.82.102
access-list 110 deny   ip host 192.168.33.200 10.10.10.0 0.0.0.255
access-list 110 permit ip host 192.168.33.200 any
access-list 111 permit ip 192.168.33.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
route-map MAILSERVER permit 10
match ip address 110
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password ***
transport input telnet ssh
line vty 5 15
privilege level 15
password ***
transport input telnet ssh
!
scheduler allocate 4000 1000
!
webvpn install svc flash:/webvpn/svc.pkg
end