Showing results for 
Search instead for 
Did you mean: 

RDP over VPN not working after NAT rule applied



Some time ago I have inherited support of one Cisco C892FSP-K9 router with 15.3(3)M4 IOS.

The configuration is not so complex - LAN and separate Wifi network in the inside, One site-to-site VPN and couple of users are connecting to the LAN (mostly for RDP to terminal server (TS)) using Cisco VPN client.

Then I was asked to configure additional NAT rule for accessing terminal server from outside without a VPN client.

But at the moment the rule "ip nat inside source static tcp 3389 interface GigabitEthernet9 3391" is applied, the RDP access to TS over any VPN stops to work. 

Can please someone give me a hand with this problem.

I am posting a part of configuration that could matter in this case. Some addresses are changed.

If you need some other info please let me know.

Thank you for your help!

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key aaaaaaaaaaa address no-xauth
crypto isakmp client configuration address-pool local vpn-client1-pool
crypto isakmp client configuration group group100
key aaaaaaaa
pool vpn-client1-pool
acl 150
crypto isakmp client configuration group group101
key aaaaaaaa
pool vpn-client2-pool
acl 151
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set vpnclset1 esp-3des esp-md5-hmac
mode tunnel
crypto dynamic-map vpncldyn 10
set transform-set vpnclset1
crypto map m1 client authentication list userauthen
crypto map m1 isakmp authorization list groupauthor
crypto map m1 client configuration address respond
crypto map m1 1 ipsec-isakmp
set peer
set transform-set proposal1
match address vpn-sitetosite
crypto map m1 10 ipsec-isakmp dynamic vpncldyn


ip nat inside source list nat interface GigabitEthernet9 overload
ip nat inside source static tcp 6500 interface GigabitEthernet9 6500
ip nat inside source static tcp 3389 interface GigabitEthernet9 3391

ip access-list extended nat
deny ip
deny ip
deny ip
permit ip any
deny ip host any
permit ip any

ip access-list extended vpn-sitetosite
permit ip

access-list 150 permit ip
access-list 151 permit ip

16 Replies 16

And I'm aware that ACL are chaotic, but that will be next phase of cleanup.
First I will need to find out what is actually in use.
I cannot completely block outside smtp traffic as there is a mail server in LAN

it looks that this configuration works as it should.
I have accepted this message as solution. I hope it is ok this way - it is my first post here in this forum.
And I want to thank everyone who tried to help me with this problem.

Thank you very much!
Best regards,
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers