When publish a Terminal server on internet lose access through the VPN

jose cortes · ‎10-02-2012

Hi Everyone,

I have two locations connected via VPN L2L the CA office has the segment 192.168.0.0/24 and the FL office has the segment 192.168.1.0/24. Also I have a RA VPN configure with FL and the local pool leases IPs in the segment 192.168.250.0/24.

The users at CA and connected via RA VPN should access the server 192.168.1.20 using RDP (3389 TCP). Everything worked fine until some other users requested for access to the Servir using the public IP.

I configure the static PAT to publish the RDP service this way:

ip nat inside source static tcp 192.168.1.20 3389 interface loopback 0 3389

As soon as I put this translation the users at CA or connected via RA VPN lost connetion to the server. They could ping it and see the share folders but the port 3389 did not reply. At the other hand all the request to access the server from internet via RDP worked.

Any suggestions in how to publish the service without lose connection through the VPNs??

Attached is the configuration of the router without the Static PAT line listed above.

Best Regards,

Jose M. Cortes H.

Javier Portuguez · ‎10-02-2012

Hi Jose,

To fix this issue, please do the following:

ip access-list extended VPN_NAT_BYPASS

permit ip 192.168.0.0 0.0.0.255 192.168.250.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 192.168.250.0 0.0.0.255

!

interface loopback 10

ip address 1.1.1.1 255.255.255.252

exit

!

route-map INTERNAL-ROUTE-MAP permit 10

match ip address VPN_NAT_BYPASS

set ip next-hop 1.1.1.2

!

interface GigabitEthernet0/0

ip policy route-map INTERNAL-ROUTE-MAP

!

Let me know if you have any questions.

Portu.

Please rate any helpful posts

jose cortes · ‎10-02-2012

Javier thnx for your reply,

but i'm a little confuse about the loopback interface. This interface is a new Interface that i have to configure or are you doing reference to the interface Loopback0 at my configuration.

At the other hand, after add this router map should I add the line:

ip nat inside source static tcp 192.168.1.20 3389 interface loopback 0 3389

best Regards,

Jose

Javier Portuguez · ‎10-02-2012

Jose,

Please add the new loopack 10.

Yes, once you add the route-map, please add the NAT command.

This is basically to bypass the static NAT rule.

Thanks.

Portu

jose cortes · ‎10-02-2012

Javier,

I will give a try to the confiuguration that you suggest.

How do you find out this solution?? is a guide somewhere?? I thought in a lot of things to do it and look for information but I did not find anything.

Best Regards

Jose

Javier Portuguez · ‎10-02-2012

Jose,

I do not have a link handy, for this scenario

Now, the process is simple:

The packet gets to the inside from an internal source to the VPN pool, it hits the Route-map which sends it to the loopback interface, where NAT is not enabled.

By doing this, you basically break any NAT rules for this traffic.

Give it a try and let me know.

Please rate any helpful posts

jose cortes · ‎10-03-2012

Javier,

I tested the connection that you suggested but it did not work. As soon as I apply the static translation the access to the server from the Public IP works but the access through the VPN does not.

I tried to use a different Public IP address from the pool but the problem persited everytime. Is like the PAT is happening before the global NAT and no matter what I put in the NAT access list the translation always happens and when the packet is cheked by the cyrpto map its source socket has not longer the Local ip but the public IP.

any thoughs??

Jose

Javier Portuguez · ‎10-04-2012

Hi Jose,

It is interesting, it should worked.

Could you please attach the latest configuration (with the recommended changes)?

Also please connect with the VPN client, test the connection and attach the following outputs:

1- show crypto sessions

2- show ip nat translations

3- show route-map INTERNAL-ROUTE-MAP

4- show access-list VPN_NAT_BYPASS

Thanks

Portu.

Please rate any helpful posts.