Cannot open RDP session through P2P tunnel - with RDP port forward active

Answered Question
Jul 24th, 2008

Hi,

I have a Site to site VPN (Site A - 10.0.0.x, Site B- 192.168.0.x) active and also need the requirement for port forwarding TCP 3389 to a Terminal Services Server from the outside.

I have the nat statement-

ip nat inside source static tcp 10.0.0.78 3389 interface dialer 0 3389

on side A and can now get in via the public(dialer 0) IP address straight to the server (10.0.0.78) I can also RDP to 10.0.0.78 from inside Site A but cannot RDP from Site B to 10.0.0.78

I can ping 10.0.0.78 fron site B and there is no firewall currently on the machine but it does not work.

As soon as I remove the Static NAT statement, I can RDP straight in from Site B (through the tunnel) to 10.0.0.78

Is there a way to set this up so both Remote (internet) clients can RDP to the server AND tunnel clients?

*note Tunnel clients can get on ok via the public IP if static nat is present.

thanks in advance.

I have this problem too.
0 votes
Correct Answer by a.alekseev about 8 years 6 months ago

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map SSS

route-map SSS permit 10

match ip address SSS

ip access-list ext SSS

deny ip any remote-net

permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
markus6152 Thu, 07/24/2008 - 22:15

Not really possible as you will be translating the source address of anything from 10.0.0.78 tcp 3389 to the interface address of dialer 0.

The best way to do this is to have 2 ip addresses on the server...

Translate one for public access and have another that isn't translated for internal access

Correct Answer
a.alekseev Fri, 07/25/2008 - 00:47

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map SSS

route-map SSS permit 10

match ip address SSS

ip access-list ext SSS

deny ip any remote-net

permit ip any any

cco4mike1 Sun, 07/27/2008 - 04:33

Thanks very much for both of your replys.

When using the - "deny ip any remote-net" command

I'm assuming the 'remote-net' is not a command but the ip range on the other side of the tunnel? ie. 192.168.0.0 0.0.0.255 ?

or the remote network's public ip address ?

regards,

os4mike

a.alekseev Sun, 07/27/2008 - 09:52

Hi, Michael

the 'remote-net' is the ip range on the other side of the tunnel

Actions

This Discussion