09-28-2018 02:37 AM
Hello,
Some time ago I have inherited support of one Cisco C892FSP-K9 router with 15.3(3)M4 IOS.
The configuration is not so complex - LAN and separate Wifi network in the inside, One site-to-site VPN and couple of users are connecting to the LAN (mostly for RDP to terminal server (TS)) using Cisco VPN client.
Then I was asked to configure additional NAT rule for accessing terminal server from outside without a VPN client.
But at the moment the rule "ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391" is applied, the RDP access to TS over any VPN stops to work.
Can please someone give me a hand with this problem.
I am posting a part of configuration that could matter in this case. Some addresses are changed.
If you need some other info please let me know.
Thank you for your help!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key aaaaaaaaaaa address 1.2.3.4 no-xauth
crypto isakmp client configuration address-pool local vpn-client1-pool
!
crypto isakmp client configuration group group100
key aaaaaaaa
pool vpn-client1-pool
acl 150
!
crypto isakmp client configuration group group101
key aaaaaaaa
pool vpn-client2-pool
acl 151
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set vpnclset1 esp-3des esp-md5-hmac
mode tunnel
!
crypto dynamic-map vpncldyn 10
set transform-set vpnclset1
!
crypto map m1 client authentication list userauthen
crypto map m1 isakmp authorization list groupauthor
crypto map m1 client configuration address respond
crypto map m1 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set proposal1
match address vpn-sitetosite
crypto map m1 10 ipsec-isakmp dynamic vpncldyn
ip nat inside source list nat interface GigabitEthernet9 overload
ip nat inside source static tcp 192.168.0.26 6500 interface GigabitEthernet9 6500
ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391
ip access-list extended nat
deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
deny ip host 192.168.0.93 any
permit ip 192.168.15.0 0.0.0.255 any
ip access-list extended vpn-sitetosite
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 151 permit ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
Solved! Go to Solution.
10-01-2018 08:59 AM
10-11-2018 08:21 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: