Showing results for 
Search instead for 
Did you mean: 

NAT blocking VPN Traffic

Chris Coho


     I have a Cisco 2921 router.  I have a few IPSec site to site VPN's configured and a terminal server behind the 2921.  The problem I am experiencing is I also publish that terminal server to the internet.  When I have a NAT setup to allow access from externally, users on my VPNs can no longer connect via RDP to that server.  If I delete the NAT, then they can connect again.  How can I set it up so both work?

Here is the NAT command I am using (replacing IP's with generic):

ip nat inside source static tcp 3389 3389

If I have that command active, I can RDP in from externally, but VPN users cannot (they would be in the subnet). If I remove that command, my users behind the VPN can RDP fine, but obviously external users cannot.


2 Replies 2

Chris Coho

I had searched a ton before posting this, and then with more searching I believe I have discovered the answer.  Using the following command:

ip nat inside source static udp 3389 33899 route-map USR_RMAT_NAT extendable

where my route map is denying internal subnets seems to have done the trick!

Hopefully this will assist anyone else with this issue (during my searches I found several similar questions with no answer).

Thanks Chris for posting the solution, I was having the exact same issue. It's also worth noting that the "route-map ROUTEMAP_NAME extendable" command will be unavailable if you are referring to your outside interface as the destination host. An example would be...

ip nat inside source static tcp 3389 interface GigabitEthernet0/0 33899

You'll need to use the outside interface IP address instead.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers