cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1571
Views
0
Helpful
8
Replies

Static NAT and same port traffic over IPSec tunnel

Hi,

I need to be able to do RDP down an IPSEC tunnel between 2 877 routers (Site to Site VPN) as well as allow RDP in from the internet interface.

so I have a

ip nat source static tcp 192.168.1.5 3389 interface dialer0 3389

to permit the external traffic.  But when this is in place and users are using the external RDP, I cant RDP down the IPSEC Tunnel.  The traffic "disappears".  All other traffic that doesn't have coresponding NAT (PAT) works great.

Any suggestions?

8 REPLIES 8

Hi,

   Please post the current configuration.excluding sensitive infornation.

HTH,

Toshi

First is the site we want to RDP from...

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

!

hostname xxxx877

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

no logging console

!

no aaa new-model

clock timezone ESTime 10

clock save interval 8

!

crypto pki trustpoint TP-self-signed-3528xxx

!----  Snip  ----

!

crypto pki certificate chain TP-self-signed-3528xxx

certificate self-signed 01

!----  Snip  ----

dot11 syslog

!

dot11 ssid xxxx

   authentication open

   authentication key-management wpa

   guest-mode

   wpa-psk ascii 7 1331121xxxx

!

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.50

ip dhcp excluded-address 10.10.10.200 10.10.10.254

!

ip dhcp pool xxxxrRd_LAN_Pool

   import all

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 192.168.1.2

   domain-name xxxx.local

   lease 2

   update arp

!

ip dhcp pool Traffic_PC_Static

   import all

   host 10.10.10.151 255.255.255.0

   client-identifier 0100.1c25.c703.ee

   default-router 10.10.10.1

   dns-server 10.10.10.1

   lease 8

   update arp

!

!

ip cef

no ip bootp server

ip domain name xxxx.local

ip host noojee 10.10.10.253

ip name-server 203.50.2.71

ip name-server 139.130.4.4

login block-for 300 attempts 4 within 60

login delay 7

login quiet-mode access-class aclQuietMode

login on-failure log

!

!

!

username UserInfo privilege 15 secret 5 $1$wxxxx

!

!

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ATrickyPSKxxx address 120.151.xx.xx no-xauth

!

!

crypto ipsec transform-set RRCSet esp-3des esp-md5-hmac

!

crypto map RRCMap 20 ipsec-isakmp

set peer 120.151.xx.xxx

set transform-set RRCSet

match address 120

!

archive

log config

  hidekeys

!

!

ip ssh version 2

!

bridge irb

!

!

interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

load-interval 30

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

spanning-tree portfast

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface Dot11Radio0

no ip address

!       

encryption mode ciphers tkip

!

ssid tsrr

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description RiverRd LAN Interface

no ip address

ip virtual-reassembly

no ip route-cache cef

ip tcp adjust-mss 1452

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dialer0

description ADSL2+ WAN FNN Nxxx9582R

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxx.@@direct.telstra.net

ppp chap password 7 075xxxx

crypto map RRCMap

!

interface BVI1

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

ip http access-class 22

ip http authentication local

ip http secure-server

ip dns server

ip nat source static tcp 10.10.10.250 9013 interface Dialer0 9013

ip nat source static tcp 10.10.10.253 22 interface Dialer0 10022

ip nat inside source route-map rmNatIn2Out interface Dialer0 overload

!

ip access-list standard aclQuietMode

permit 120.151.xx.xx

permit 202.173.xx.xx

permit 10.10.10.0 0.0.0.255

permit 192.168.1.0 0.0.0.255

!

ip access-list extended aclNat

deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

!

access-list 22 permit 10.10.10.0 0.0.0.255

access-list 22 permit 192.168.1.0 0.0.0.255

access-list 119 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 119 permit ip 10.10.10.0 0.0.0.255 any

access-list 120 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log

dialer-list 1 protocol ip permit

no cdp run

route-map rmNatIn2Out permit 10

match ip address aclNat

!        

!

control-plane

!

bridge 1 route ip

!

alias exec tl0 terminal length 0

!

line con 0

no modem enable

transport output all

line aux 0

transport output all

line vty 0 2

access-class 22 in

exec-timeout 20 0

login local

transport input telnet

line vty 3 4

exec-timeout 20 0

login local

transport input ssh

!

scheduler max-task-time 5000

sntp server 202.173.144.3

sntp server 128.250.36.2

sntp server 202.72.191.202

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Then the site we want to RDP in to both down the tunnel and externally in

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

service sequence-numbers

!

hostname xxxx877

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

no logging console

!

no aaa new-model

clock timezone ESTime 10

clock save interval 8

!

crypto pki trustpoint TP-self-signed-2567xxxx

!

!

crypto pki certificate chain TP-self-signed-2567xxxx

!----  Snip  ----

dot11 syslog

!

dot11 ssid xxxx

   authentication open

   authentication key-management wpa

   guest-mode

   wpa-psk ascii 7 122D001xx

!

no ip source-route

!

!

ip cef

no ip bootp server

ip domain name tlsg.local

ip name-server 203.50.2.71

ip name-server 139.130.4.4

login block-for 300 attempts 4 within 60

login delay 7

login quiet-mode access-class aclQuietMode

login on-failure log

!

!

!        

username Theuser privilege 15 secret 5 $1$Bxxxx

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ATrickypskxxxx address 165.228.xx.xxx no-xauth

!

!

crypto ipsec transform-set RRCSet esp-3des esp-md5-hmac

!

crypto map RRCMap 10 ipsec-isakmp

set peer 165.228.xx.xx

set transform-set RRCSet

match address 120

!

archive

log config

  hidekeys

!

!

ip ssh version 2

!

bridge irb

!

!

interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

load-interval 30

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

spanning-tree portfast

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers tkip

!

ssid xxxx

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description Centro LAN Interface

no ip address

ip virtual-reassembly

no ip route-cache cef

ip tcp adjust-mss 1452

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dialer0

description ADSL2+ FNN:N7xxxx

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxx@@direct.telstra.net

ppp chap password 7 15xxxx

crypto map RRCMap

!

interface BVI1

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

ip http access-class 22

ip http authentication local

ip http secure-server

ip dns server

ip nat source static tcp 192.168.1.250 9013 interface Dialer0 9013

ip nat source static tcp 192.168.1.5 3389 interface Dialer0 3389

ip nat source static tcp 192.168.1.5 3050 interface Dialer0 3050

ip nat source static tcp 192.168.1.2 443 interface Dialer0 443

ip nat source static tcp 192.168.1.2 987 interface Dialer0 987

ip nat inside source route-map rmNatIn2Out interface Dialer0 overload

!

ip access-list standard aclQuietMode

permit 202.173.xx.xx

permit 165.228.xx.xx

permit 10.10.10.0 0.0.0.255

permit 192.168.1.0 0.0.0.255

!

ip access-list extended aclNat

deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

logging trap debugging

access-list 22 permit 192.168.1.0 0.0.0.255

access-list 22 permit 10.10.10.0 0.0.0.255

access-list 119 deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 119 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

route-map rmNatIn2Out permit 10

match ip address aclNat

!

!

control-plane

!

bridge 1 route ip

!

alias exec tl0 term len 0

!

line con 0

no modem enable

transport output all

line aux 0

transport output all

line vty 0 2

exec-timeout 20 0

login local

transport input telnet

line vty 3 4

exec-timeout 20 0

login local

transport input ssh

!

scheduler max-task-time 5000

sntp server 202.173.144.3

sntp server 128.250.36.2

sntp server 202.72.191.202

Hi,

     The problem is when you apply "ip nat source static tcp 192.168.1.5 3389 interface Dialer0 3389" on the router. RDP packets(From Tunnel) returned to 10.10.10.0/24 will hit this NAT statement. And Source-192.168.1.5 is modified. That's why you cannot RDP from 10.10.10.0/24 to 192.168.15 through the Tunnel anymore.  As far as I know is that you can apply a route-map to NAT statement to solve the problem.

Let's say "ip nat source static tcp 192.168.1.5 3389 A.B.C.D 3389 route-map Deny-Return-RDP".

     Unfortunately you cannot do this with Interface parameter on NAT statement.  I'm not sure about the new IOS.You may try.

HTH,

Toshi

Hi Toshi,

I am afraid I don't understand your reply.  Are your saying the above route map should be created or that it doesn't work?  If it doesn't work what is the solution?  if it does work what goes in the route map and what goes in the A.B.C.D?

Assuming the A.B.C.D is inside global then using the command...

ip nat source static tcp 192.168.1.5 3389 120.151.xx.xx 3389 ...

the only options using command completion are Extendable, no-alias, and no-payload.

Thanks Toshi

Hi,

    Sorry,I was a bit sleepy while I wrote it.    The problem is return RDP packets from 192.168.1.5 to 10.10.10.0/24 will hit this NAT, ip nat source static tcp 192.168.1.5 3389 interface Dialer0 3389.  Source-192.168.1.5 will be modified. That's why it fails.  If your wan ip address is static ip address,you can solve this problem by using commands below.

!

ip access-list extend Deny-Return-RDP

deny ip host 192.168.1.5 10.10.10.0 0.0.0.255

permit ip host 192.168.1.5 any

!

route-map Deny-Return-RDP

match ip address Deny-Return-RDP

!

ip nat source static tcp 192.168.1.5 3389 A.B.C.D 3389 route-map Deny-Return-RDP

!

   However,you have no route-map option when using interface command in NAT statement.

!

ip nat source static tcp 192.168.1.5 3389 interface Dialer0 3389 

!

HTH,

Toshi

Hi Toshi,

Thanks for the response.

The only way I can get the route-map option available is ...

ip nat inside source static tcp 192.168.1.5 3389 120.151.xx.xx 3389 route-map DenyReturnRDP

what is the diference between ip nat inside source static and ip nat source static?  can they be used interchangeably in this situation?

Hi,

  "ip nat sorce static" means you don't specify the direction in command it's actullay used when using NVI. Just try this link:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

HTH,

Toshi

Hi Toshi,

I have read that article through a few times now but can't see an explanation in there on the difference between the 2 statements.

From another forum I have had some advice to change the IPSEC tunnel to a VTI as opposed to crypto map and that has fixed my issue.  The VTI is a much more elegant solution as being able to control the routing and hence the path of the return traffic, resolves the issue.

I will keep trying to find and answer as to whether I should be using

ip nat source static tcp xx.xx.xx.xx interface dialer0

or

ip nat inside source static tcp xx.xx.xx.xx interface dialer0

to publish a service as I am stil confused about the difference

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: