Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
2
Replies

NAT blocking VPN Traffic

Chris Coho
Beginner
Beginner

‎07-09-2012 11:28 AM - edited ‎03-07-2019 07:40 AM

Hello,

     I have a Cisco 2921 router.  I have a few IPSec site to site VPN's configured and a terminal server behind the 2921.  The problem I am experiencing is I also publish that terminal server to the internet.  When I have a NAT setup to allow access from externally, users on my VPNs can no longer connect via RDP to that server.  If I delete the NAT, then they can connect again.  How can I set it up so both work?

Here is the NAT command I am using (replacing IP's with generic):

ip nat inside source static tcp 10.10.1.10 3389 200.200.200.200 3389

If I have that command active, I can RDP in from externally, but VPN users cannot (they would be in the 10.14.0.0 subnet). If I remove that command, my users behind the VPN can RDP fine, but obviously external users cannot.

Thoughts?

Labels:
0 Helpful
2 Replies 2

Chris Coho
Beginner
Beginner

‎07-09-2012 12:41 PM

I had searched a ton before posting this, and then with more searching I believe I have discovered the answer.  Using the following command:

ip nat inside source static udp 10.10.1.10 3389 200.200.200.200 33899 route-map USR_RMAT_NAT extendable

where my route map is denying internal subnets seems to have done the trick!

Hopefully this will assist anyone else with this issue (during my searches I found several similar questions with no answer).

0 Helpful

Logan Kampsnider
Beginner
Beginner
In response to Chris Coho

‎09-24-2012 08:08 AM

Thanks Chris for posting the solution, I was having the exact same issue. It's also worth noting that the "route-map ROUTEMAP_NAME extendable" command will be unavailable if you are referring to your outside interface as the destination host. An example would be...

ip nat inside source static tcp 10.10.1.10 3389 interface GigabitEthernet0/0 33899

You'll need to use the outside interface IP address instead.

Logan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents