06-28-2011 01:37 AM - edited 03-04-2019 12:49 PM
Hi,
I need to be able to do RDP down an IPSEC tunnel between 2 877 routers (Site to Site VPN) as well as allow RDP in from the internet interface.
so I have a
ip nat source static tcp 192.168.1.5 3389 interface dialer0 3389
to permit the external traffic. But when this is in place and users are using the external RDP, I cant RDP down the IPSEC Tunnel. The traffic "disappears". All other traffic that doesn't have coresponding NAT (PAT) works great.
Any suggestions?
06-28-2011 02:16 AM
Hi,
Please post the current configuration.excluding sensitive infornation.
HTH,
Toshi
06-28-2011 02:32 PM
First is the site we want to RDP from...
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname xxxx877
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
no logging console
!
no aaa new-model
clock timezone ESTime 10
clock save interval 8
!
crypto pki trustpoint TP-self-signed-3528xxx
!---- Snip ----
!
crypto pki certificate chain TP-self-signed-3528xxx
certificate self-signed 01
!---- Snip ----
dot11 syslog
!
dot11 ssid xxxx
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 1331121xxxx
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.50
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool xxxxrRd_LAN_Pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 192.168.1.2
domain-name xxxx.local
lease 2
update arp
!
ip dhcp pool Traffic_PC_Static
import all
host 10.10.10.151 255.255.255.0
client-identifier 0100.1c25.c703.ee
default-router 10.10.10.1
dns-server 10.10.10.1
lease 8
update arp
!
!
ip cef
no ip bootp server
ip domain name xxxx.local
ip host noojee 10.10.10.253
ip name-server 203.50.2.71
ip name-server 139.130.4.4
login block-for 300 attempts 4 within 60
login delay 7
login quiet-mode access-class aclQuietMode
login on-failure log
!
!
!
username UserInfo privilege 15 secret 5 $1$wxxxx
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ATrickyPSKxxx address 120.151.xx.xx no-xauth
!
!
crypto ipsec transform-set RRCSet esp-3des esp-md5-hmac
!
crypto map RRCMap 20 ipsec-isakmp
set peer 120.151.xx.xxx
set transform-set RRCSet
match address 120
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
bridge irb
!
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid tsrr
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description RiverRd LAN Interface
no ip address
ip virtual-reassembly
no ip route-cache cef
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
description ADSL2+ WAN FNN Nxxx9582R
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxx.@@direct.telstra.net
ppp chap password 7 075xxxx
crypto map RRCMap
!
interface BVI1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http access-class 22
ip http authentication local
ip http secure-server
ip dns server
ip nat source static tcp 10.10.10.250 9013 interface Dialer0 9013
ip nat source static tcp 10.10.10.253 22 interface Dialer0 10022
ip nat inside source route-map rmNatIn2Out interface Dialer0 overload
!
ip access-list standard aclQuietMode
permit 120.151.xx.xx
permit 202.173.xx.xx
permit 10.10.10.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
!
ip access-list extended aclNat
deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
!
access-list 22 permit 10.10.10.0 0.0.0.255
access-list 22 permit 192.168.1.0 0.0.0.255
access-list 119 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 119 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
dialer-list 1 protocol ip permit
no cdp run
route-map rmNatIn2Out permit 10
match ip address aclNat
!
!
control-plane
!
bridge 1 route ip
!
alias exec tl0 terminal length 0
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 2
access-class 22 in
exec-timeout 20 0
login local
transport input telnet
line vty 3 4
exec-timeout 20 0
login local
transport input ssh
!
scheduler max-task-time 5000
sntp server 202.173.144.3
sntp server 128.250.36.2
sntp server 202.72.191.202
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Then the site we want to RDP in to both down the tunnel and externally in
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname xxxx877
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
no logging console
!
no aaa new-model
clock timezone ESTime 10
clock save interval 8
!
crypto pki trustpoint TP-self-signed-2567xxxx
!
!
crypto pki certificate chain TP-self-signed-2567xxxx
!---- Snip ----
dot11 syslog
!
dot11 ssid xxxx
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 122D001xx
!
no ip source-route
!
!
ip cef
no ip bootp server
ip domain name tlsg.local
ip name-server 203.50.2.71
ip name-server 139.130.4.4
login block-for 300 attempts 4 within 60
login delay 7
login quiet-mode access-class aclQuietMode
login on-failure log
!
!
!
username Theuser privilege 15 secret 5 $1$Bxxxx
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ATrickypskxxxx address 165.228.xx.xxx no-xauth
!
!
crypto ipsec transform-set RRCSet esp-3des esp-md5-hmac
!
crypto map RRCMap 10 ipsec-isakmp
set peer 165.228.xx.xx
set transform-set RRCSet
match address 120
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
bridge irb
!
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid xxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Centro LAN Interface
no ip address
ip virtual-reassembly
no ip route-cache cef
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
description ADSL2+ FNN:N7xxxx
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxx@@direct.telstra.net
ppp chap password 7 15xxxx
crypto map RRCMap
!
interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http access-class 22
ip http authentication local
ip http secure-server
ip dns server
ip nat source static tcp 192.168.1.250 9013 interface Dialer0 9013
ip nat source static tcp 192.168.1.5 3389 interface Dialer0 3389
ip nat source static tcp 192.168.1.5 3050 interface Dialer0 3050
ip nat source static tcp 192.168.1.2 443 interface Dialer0 443
ip nat source static tcp 192.168.1.2 987 interface Dialer0 987
ip nat inside source route-map rmNatIn2Out interface Dialer0 overload
!
ip access-list standard aclQuietMode
permit 202.173.xx.xx
permit 165.228.xx.xx
permit 10.10.10.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
!
ip access-list extended aclNat
deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
logging trap debugging
access-list 22 permit 192.168.1.0 0.0.0.255
access-list 22 permit 10.10.10.0 0.0.0.255
access-list 119 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 119 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
route-map rmNatIn2Out permit 10
match ip address aclNat
!
!
control-plane
!
bridge 1 route ip
!
alias exec tl0 term len 0
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 2
exec-timeout 20 0
login local
transport input telnet
line vty 3 4
exec-timeout 20 0
login local
transport input ssh
!
scheduler max-task-time 5000
sntp server 202.173.144.3
sntp server 128.250.36.2
sntp server 202.72.191.202
06-28-2011 03:02 PM
Hi,
The problem is when you apply "ip nat source static tcp 192.168.1.5 3389 interface Dialer0 3389" on the router. RDP packets(From Tunnel) returned to 10.10.10.0/24 will hit this NAT statement. And Source-192.168.1.5 is modified. That's why you cannot RDP from 10.10.10.0/24 to 192.168.15 through the Tunnel anymore. As far as I know is that you can apply a route-map to NAT statement to solve the problem.
Let's say "ip nat source static tcp 192.168.1.5 3389 A.B.C.D 3389 route-map Deny-Return-RDP".
Unfortunately you cannot do this with Interface parameter on NAT statement. I'm not sure about the new IOS.You may try.
HTH,
Toshi
06-28-2011 03:37 PM
Hi Toshi,
I am afraid I don't understand your reply. Are your saying the above route map should be created or that it doesn't work? If it doesn't work what is the solution? if it does work what goes in the route map and what goes in the A.B.C.D?
Assuming the A.B.C.D is inside global then using the command...
ip nat source static tcp 192.168.1.5 3389 120.151.xx.xx 3389 ...
the only options using command completion are Extendable, no-alias, and no-payload.
Thanks Toshi
06-28-2011 11:43 PM
Hi,
Sorry,I was a bit sleepy while I wrote it. The problem is return RDP packets from 192.168.1.5 to 10.10.10.0/24 will hit this NAT, ip nat source static tcp 192.168.1.5 3389 interface Dialer0 3389. Source-192.168.1.5 will be modified. That's why it fails. If your wan ip address is static ip address,you can solve this problem by using commands below.
!
ip access-list extend Deny-Return-RDP
deny ip host 192.168.1.5 10.10.10.0 0.0.0.255
permit ip host 192.168.1.5 any
!
route-map Deny-Return-RDP
match ip address Deny-Return-RDP
!
ip nat source static tcp 192.168.1.5 3389 A.B.C.D 3389 route-map Deny-Return-RDP
!
However,you have no route-map option when using interface command in NAT statement.
!
ip nat source static tcp 192.168.1.5 3389 interface Dialer0 3389
!
HTH,
Toshi
06-29-2011 05:33 PM
Hi Toshi,
Thanks for the response.
The only way I can get the route-map option available is ...
ip nat inside source static tcp 192.168.1.5 3389 120.151.xx.xx 3389 route-map DenyReturnRDP
what is the diference between ip nat inside source static and ip nat source static? can they be used interchangeably in this situation?
06-30-2011 12:36 AM
Hi,
"ip nat sorce static" means you don't specify the direction in command it's actullay used when using NVI. Just try this link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html
HTH,
Toshi
06-30-2011 06:15 PM
Hi Toshi,
I have read that article through a few times now but can't see an explanation in there on the difference between the 2 statements.
From another forum I have had some advice to change the IPSEC tunnel to a VTI as opposed to crypto map and that has fixed my issue. The VTI is a much more elegant solution as being able to control the routing and hence the path of the return traffic, resolves the issue.
I will keep trying to find and answer as to whether I should be using
ip nat source static tcp xx.xx.xx.xx
or
ip nat inside source static tcp xx.xx.xx.xx
to publish a service as I am stil confused about the difference
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide