Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2514
Views
0
Helpful
16
Replies

RDP over VPN not working after NAT rule applied

Go to solution
davorin
Level 1
Level 1

‎09-28-2018 02:37 AM

Hello,

Some time ago I have inherited support of one Cisco C892FSP-K9 router with 15.3(3)M4 IOS.

The configuration is not so complex - LAN and separate Wifi network in the inside, One site-to-site VPN and couple of users are connecting to the LAN (mostly for RDP to terminal server (TS)) using Cisco VPN client.

Then I was asked to configure additional NAT rule for accessing terminal server from outside without a VPN client.

But at the moment the rule "ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391" is applied, the RDP access to TS over any VPN stops to work. 

Can please someone give me a hand with this problem.

I am posting a part of configuration that could matter in this case. Some addresses are changed.

If you need some other info please let me know.

Thank you for your help!

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key aaaaaaaaaaa address 1.2.3.4 no-xauth
crypto isakmp client configuration address-pool local vpn-client1-pool
!
crypto isakmp client configuration group group100
key aaaaaaaa
pool vpn-client1-pool
acl 150
!
crypto isakmp client configuration group group101
key aaaaaaaa
pool vpn-client2-pool
acl 151
!
crypto ipsec transform-set proposal1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set vpnclset1 esp-3des esp-md5-hmac
mode tunnel
!
crypto dynamic-map vpncldyn 10
set transform-set vpnclset1
!
crypto map m1 client authentication list userauthen
crypto map m1 isakmp authorization list groupauthor
crypto map m1 client configuration address respond
crypto map m1 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set proposal1
match address vpn-sitetosite
crypto map m1 10 ipsec-isakmp dynamic vpncldyn

 

ip nat inside source list nat interface GigabitEthernet9 overload
ip nat inside source static tcp 192.168.0.26 6500 interface GigabitEthernet9 6500
ip nat inside source static tcp 192.168.0.22 3389 interface GigabitEthernet9 3391


ip access-list extended nat
deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
deny ip host 192.168.0.93 any
permit ip 192.168.15.0 0.0.0.255 any

ip access-list extended vpn-sitetosite
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 151 permit ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255

Labels:
0 Helpful
16 Replies 16

Go to solution
davorin
Level 1
Level 1
In response to davorin

‎10-01-2018 08:59 AM

And I'm aware that ACL are chaotic, but that will be next phase of cleanup.
First I will need to find out what is actually in use.
I cannot completely block outside smtp traffic as there is a mail server in LAN
0 Helpful

Go to solution
davorin
Level 1
Level 1
In response to davorin

‎10-11-2018 08:21 AM

Hi,
it looks that this configuration works as it should.
I have accepted this message as solution. I hope it is ok this way - it is my first post here in this forum.
And I want to thank everyone who tried to help me with this problem.

Thank you very much!
Best regards,
Davorin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card