Solved: Dynamic VPN and static NAT problem i router

praun · ‎05-01-2015

Hi.

My customer has a Cisco2921/K9 router running c2900-universalk9-mz.SPA.151-4.M3.bin.

In the configuration i have configured static GRE/IPSEC tunnels and Dynamic VPN connections.

The dynamic VPN location need RDP (port 3389) to 3 servers on the inside. (192.168.100.32, 192.168.100.34 and 192.168.100.35)

I works as expected until the customer needs a static extended NAT from outside (no VPN) allowing RDP from an external vendor to the same inside addresses as the dynamic VPN uses.

When configuring the following NAT statements, RDP from the customer using the dynamic tunnels(no-nat) stops working for .32 and .35.

RDP to 192.168.10.34 is still working through the tunnel. If i delete the first line again RDP to .34 works again.

ip nat inside source static tcp 192.168.100.35 3389 87.47.135.123 3389 extendable
ip nat inside source static tcp 192.168.100.32 3389 87.47.135.123 5450 extendable

It seems that the dynamic VPN in some way conflicts with the Static NAT statement?

Is this a bug, or is it supposed to work this way?, workaround?

Regards

Jorge Salas · ‎05-01-2015

Change the static nat rule to use a route-map

ip access-list extended static
deny ip host 192.168.100.35 remote_network 0.0.0.255
permit ip host 192.168.100.35 any

route-map static-port permit
match ip address static

ip nat inside source static tcp 192.168.100.35 3389 87.47.135.123 3389 route-map static-port

View solution in original post

Jorge Salas · ‎05-01-2015

Change the static nat rule to use a route-map

ip access-list extended static
deny ip host 192.168.100.35 remote_network 0.0.0.255
permit ip host 192.168.100.35 any

route-map static-port permit
match ip address static

ip nat inside source static tcp 192.168.100.35 3389 87.47.135.123 3389 route-map static-port