cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
979
Views
0
Helpful
2
Replies

NAT blocking VPN Traffic

Chris Coho
Level 1
Level 1

Hello,

     I have a Cisco 2921 router.  I have a few IPSec site to site VPN's configured and a terminal server behind the 2921.  The problem I am experiencing is I also publish that terminal server to the internet.  When I have a NAT setup to allow access from externally, users on my VPNs can no longer connect via RDP to that server.  If I delete the NAT, then they can connect again.  How can I set it up so both work?

Here is the NAT command I am using (replacing IP's with generic):

ip nat inside source static tcp 10.10.1.10 3389 200.200.200.200 3389

If I have that command active, I can RDP in from externally, but VPN users cannot (they would be in the 10.14.0.0 subnet). If I remove that command, my users behind the VPN can RDP fine, but obviously external users cannot.

Thoughts?

2 Replies 2

Chris Coho
Level 1
Level 1

I had searched a ton before posting this, and then with more searching I believe I have discovered the answer.  Using the following command:

ip nat inside source static udp 10.10.1.10 3389 200.200.200.200 33899 route-map USR_RMAT_NAT extendable

where my route map is denying internal subnets seems to have done the trick!

Hopefully this will assist anyone else with this issue (during my searches I found several similar questions with no answer).

Thanks Chris for posting the solution, I was having the exact same issue. It's also worth noting that the "route-map ROUTEMAP_NAME extendable" command will be unavailable if you are referring to your outside interface as the destination host. An example would be...

ip nat inside source static tcp 10.10.1.10 3389 interface GigabitEthernet0/0 33899

You'll need to use the outside interface IP address instead.

Logan

Review Cisco Networking for a $25 gift card