cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2494
Views
0
Helpful
16
Replies

RDP over VPN not working after NAT rule applied

davorin
Level 1
Level 1

Hello,

Some time ago I have inherited support of one Cisco C892FSP-K9 router with 15.3(3)M4 IOS.

The configuration is not so complex - LAN and separate Wifi network in the inside, One site-to-site VPN and couple of users are connecting to the LAN (mostly for RDP to terminal server (TS)) using Cisco VPN client.

Then I was asked to configure additional NAT rule for accessing terminal server from outside without a VPN client.

But at the moment the rule "ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391" is applied, the RDP access to TS over any VPN stops to work. 

Can please someone give me a hand with this problem.

I am posting a part of configuration that could matter in this case. Some addresses are changed.

If you need some other info please let me know.

Thank you for your help!

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key aaaaaaaaaaa address 1.2.3.4 no-xauth
crypto isakmp client configuration address-pool local vpn-client1-pool
!
crypto isakmp client configuration group group100
key aaaaaaaa
pool vpn-client1-pool
acl 150
!
crypto isakmp client configuration group group101
key aaaaaaaa
pool vpn-client2-pool
acl 151
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set vpnclset1 esp-3des esp-md5-hmac
mode tunnel
!
crypto dynamic-map vpncldyn 10
set transform-set vpnclset1
!
crypto map m1 client authentication list userauthen
crypto map m1 isakmp authorization list groupauthor
crypto map m1 client configuration address respond
crypto map m1 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set proposal1
match address vpn-sitetosite
crypto map m1 10 ipsec-isakmp dynamic vpncldyn

 

ip nat inside source list nat interface GigabitEthernet9 overload
ip nat inside source static tcp 192.168.0.26 6500 interface GigabitEthernet9 6500
ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391


ip access-list extended nat
deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
deny ip host 192.168.0.93 any
permit ip 192.168.15.0 0.0.0.255 any

ip access-list extended vpn-sitetosite
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 151 permit ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255

1 Accepted Solution

Accepted Solutions

That's because I have only a single public IP available and multiple servers inside.

I have two options:

- or changing port of RDP service on the servers playing

- or using different ports in NAT statements

I prefer the second one.

 

It looks I got a little bit further (testing on third less important server):

 

route-map SDM_RMAP_1 permit 1
match ip address nat

ip nat inside source static tcp 192.168.0.203 3389 (external_ip_address) 3394 route-map SDM_RMAP_1 extendable

 

It looks that RDP access is working ok from VPN and outside, but I'm not sure what effect it could have on the rest of configuration. On what should I give attention?

View solution in original post

16 Replies 16

johnd2310
Level 8
Level 8

Hi,

"ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391"

 

When user  connect to rdp from outside, what port are they connecting to, 3391 or 3389?

 

Thanks

John

 

**Please rate posts you find helpful**

The outside users (with no VPN) are connecting to public IP address and port 3391.

If the rule is applied, it is working for outside users and not working for VPN users, who are connecting to internal IP address 192.168.0.22 port 3389.

 

What is the IP address range of your VPN client pools ?

ip local pool vpn-client1-pool 192.168.100.1 192.168.100.250
ip local pool vpn-client2-pool 192.168.101.1
For testing I'm using the vpn-client1-pool.
Below I have attached full config.

Hello,

 

post the full running config of your router...

Thank you for your help.

Here is the full config. I have changed all public ip adresses.

(And I'm aware that ACL OUTSIDE is open for everything...)

 

C800#sh start
Using 8666 out of 262136 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C800
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 128000
enable secret 5 aaaaaaaa
!
aaa new-model
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
ip dhcp excluded-address 192.168.0.1 192.168.0.254
ip dhcp excluded-address 192.168.15.1 192.168.15.20
!
ip dhcp pool dpool_wifiguest
import all
network 192.168.15.0 255.255.255.0
default-router 192.168.15.254
dns-server 8.8.8.8 8.8.4.4
domain-name domain.com
!
ip domain name domain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect audit-trail
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW imaps
ip inspect name FW imap
ip inspect name FW fragment maximum 256 timeout 1
ip inspect name FW h323
ip inspect name FW realaudio
ip inspect name FW sqlnet
ip inspect name FW vdolive
ip inspect name FW rtsp
ip inspect name FW ftp
ip inspect name FW http
ip inspect name FW https
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
license udi pid C892FSP-K9 sn AAAAAAAAA
!
spanning-tree vlan 1 priority 8192
vtp mode transparent
username admin privilege 15 secret 5 AAAAAAAA
!
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh version 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
lifetime 3600
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 84000
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key AAAAAAAA address 1.2.3.4 no-xauth
crypto isakmp client configuration address-pool local vpn-client1-pool
!
crypto isakmp client configuration group group100
key AAAAAAAA
pool vpn-client1-pool
acl 150
!
crypto isakmp client configuration group group101
key AAAAAAAA
pool vpn-client2-pool
acl 151
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set vpnclset1 esp-3des esp-md5-hmac
mode tunnel
!
crypto dynamic-map vpncldyn 10
set transform-set vpnclset1
!
crypto map m1 client authentication list userauthen
crypto map m1 isakmp authorization list groupauthor
crypto map m1 client configuration address respond
crypto map m1 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set proposal1
match address vpn-sitetosite
crypto map m1 10 ipsec-isakmp dynamic vpncldyn
!
interface GigabitEthernet0
no ip address
load-interval 30
!
interface GigabitEthernet1
no ip address
load-interval 30
!
interface GigabitEthernet2
no ip address
load-interval 30
!
interface GigabitEthernet3
no ip address
load-interval 30
!
interface GigabitEthernet4
no ip address
load-interval 30
!
interface GigabitEthernet5
no ip address
load-interval 30
!
interface GigabitEthernet6
no ip address
load-interval 30
!
interface GigabitEthernet7
switchport access vlan 2
no ip address
load-interval 30
!
interface GigabitEthernet8
description WIFIGUESTS2 ### COMBO RJ-45 in SFP PORT ###
ip address 192.168.15.254 255.255.255.0
ip access-group WIFIGUEST in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface GigabitEthernet9
description EXTERNAL NAT INTERFACE
ip address 1.1.1.1 255.255.0.0
ip access-group OUTSIDE in
no ip redirects
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip inspect FW out
ip virtual-reassembly in
ip tcp adjust-mss 1452
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map m1
!
interface Vlan1
description INTERNAL LAN
ip address 192.168.0.254 255.255.255.0
ip access-group INSIDE in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip access-group OUTSIDE in
ip mtu 1442
ip nat outside
ip inspect FW out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname dialuser
ppp chap password 7 AAAAAAAA
no cdp enable
crypto map m1
!
ip local pool vpn-client1-pool 192.168.100.1 192.168.100.250
ip local pool vpn-client2-pool 192.168.101.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 3600000
!
ip nat inside source list nat interface GigabitEthernet9 overload
ip nat inside source static tcp 192.168.0.26 6500 interface GigabitEthernet9 6500
ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391
ip nat inside source static tcp 192.168.0.27 3389 interface GigabitEthernet9 3392
ip nat inside source static tcp 192.168.0.26 7047 interface GigabitEthernet9 7047
ip nat inside source static tcp 192.168.0.26 7048 interface GigabitEthernet9 7048
ip route 0.0.0.0 0.0.0.0 1.1.1.254
ip route 0.0.0.0 0.0.0.0 Dialer1 10
!
ip access-list extended INSIDE
permit tcp any host a.b.c.d eq smtp
permit tcp any host a.b.c.e eq smtp
permit tcp host 192.168.0.10 any eq smtp
deny tcp any any eq smtp log
deny ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip any any
permit icmp any any
ip access-list extended OUTSIDE
permit tcp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp a.b.c.0 0.0.0.255 any eq 3389
permit tcp any any eq 22
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq 443
permit tcp any any eq 4125
permit tcp any any eq smtp
permit udp host a.b.c.f any eq ntp
permit udp host a.b.c.g any
permit tcp any host a.b.c.h eq 6500
permit tcp any host a.b.c.i eq 6500
permit tcp a.b.c.0 0.0.0.255 any eq 3390
permit icmp any any
permit tcp a.b.c.0 0.0.0.255 any eq 3391
permit tcp host a.b.c.j host 192.168.0.26 eq 7047
permit tcp host a.b.c.j host 192.168.0.26 eq 7048
permit tcp host a.b.c.j host 192.168.0.9 eq 3393
ip access-list extended WIFIGUEST
deny tcp any any eq smtp log
deny ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.15.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip any any
permit icmp any any
permit tcp any any
ip access-list extended nat
deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
deny ip host 192.168.0.93 any
permit ip 192.168.15.0 0.0.0.255 any
ip access-list extended vpn-sitetosite
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
access-list 1 permit a.b.c.d
access-list 1 permit a.b.c.d
access-list 1 permit a.b.c.d
access-list 1 permit a.b.0.0 0.0.0.255
access-list 1 permit a.b.c.64 0.0.0.63
access-list 1 permit a.b.c.128 0.0.0.31
access-list 1 permit a.b.c.d 0.0.0.15
access-list 1 permit a.b.c.0 0.0.0.255
access-list 1 permit a.b.c.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 151 permit ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
password 7 AAAAAAAA
no modem enable
line aux 0
password 7 AAAAAAAA
line vty 0 4
access-class 1 in
password 7 AAAAAAAA
transport input ssh
line vty 5 15
access-class 1 in
password 7 AAAAAAAA
transport input ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet9
ntp server a.b.c.d
!
end

Hello,

 

try the config below:

 

--> no ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391


ip access-list extended RDP_ACL
deny ip 192.168.100.0 0.0.0.255 any
permit tcp any any eq 3389
!
ip nat pool RDP_POOL 192.168.0.22 192.168.0.22 netmask 255.255.255.0 type rotary
ip nat inside destination list RDP_ACL pool RDP_POOL

Thanks for the suggestion, but unfortunately it is not working.
After runing "no ip nat inside source static tcp 192.168.0.27 3389 interface GigabitEthernet9 3392" - as expected RDP to 3392 port stopped to work and RDP to 3389 using VPN client started to work.
After running the rest of config - no change. Over VPN works, from outside it does not.

I have tested with RDP access to 192.168.0.27, because at this moment I can't afford to play with access to 192.168.0.22.
I have used this changed config. Hope I have changed it correctly:

no ip nat inside source static tcp 192.168.0.27 3389 interface GigabitEthernet9 3392

ip access-list extended RDP_ACL
deny ip 192.168.100.0 0.0.0.255 any
permit tcp any any eq 3389

ip nat pool RDP_POOL 192.168.0.27 192.168.0.27 netmask 255.255.255.0 type rotary
ip nat inside destination list RDP_ACL pool RDP_POOL

Hello, config looks good. Try to change the TCP port to a range:

 

no ip nat inside source static tcp 192.168.0.27 3389 interface GigabitEthernet9 3392

!

ip access-list extended RDP_ACL
deny ip 192.168.100.0 0.0.0.255 any
permit tcp any any range 3389 3392

!

ip nat pool RDP_POOL 192.168.0.27 192.168.0.27 netmask 255.255.255.0 type rotary
ip nat inside destination list RDP_ACL pool RDP_POOL

After replacing "permit tcp any any eq 3389" with "permit tcp any any range 3389 3392" still not working.
Using VPN works, from outside it does not.

 

Shouldn't already "ip nat inside source list nat interface GigabitEthernet9 overload" in combination with "ip access-list extended nat" took care that trafic to the VPN networks are not NAT-ed? "sh ip access-list" shows multiple matches.

 

Extended IP access list nat
10 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
20 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255 (55707 matches)
30 deny ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
40 permit ip 192.168.0.0 0.0.0.255 any (130731 matches)
50 deny ip host 192.168.0.93 any
60 permit ip 192.168.15.0 0.0.0.255 any

 

Extended IP access list RDP_ACL
10 deny ip 192.168.100.0 0.0.0.255 any (5964 matches)
20 permit tcp any any range 3389 3392 (26 matches)

Hello,

 

I cannot test this on a live network, but try to leave the original static NAT in there, so the entire thing looks like this:

 

ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391


ip access-list extended RDP_ACL
deny ip 192.168.100.0 0.0.0.255 any
permit tcp any any eq 3389
!
ip nat pool RDP_POOL 192.168.0.22 192.168.0.22 netmask 255.255.255.0 type rotary
ip nat inside destination list RDP_ACL pool RDP_POOL

Hello Georg,

I'm sorry for long delay. I didn't had time to work on this problem during the weekend (fortunately :) ).

I have tried the proposed configuration with leaving the original static NAT as it was, but unfortunately I still can not connect to RDP server over VPN connection.

Hello

 

May i ask why your specifying a different rdp ports?

ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391 ?

 

Also some of your access-list are out-or order, below are the suggested revised ones

ip access-list extended INSIDE
deny tcp any any eq smtp log
deny ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip any any
permit icmp any any

ip access-list extended OUTSIDE
permit udp host a.b.c.f any eq ntp
permit udp host a.b.c.g any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any any
permit esp any any
permit icmp any any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

That's because I have only a single public IP available and multiple servers inside.

I have two options:

- or changing port of RDP service on the servers playing

- or using different ports in NAT statements

I prefer the second one.

 

It looks I got a little bit further (testing on third less important server):

 

route-map SDM_RMAP_1 permit 1
match ip address nat

ip nat inside source static tcp 192.168.0.203 3389 (external_ip_address) 3394 route-map SDM_RMAP_1 extendable

 

It looks that RDP access is working ok from VPN and outside, but I'm not sure what effect it could have on the rest of configuration. On what should I give attention?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: