Cannot open RDP session through P2P tunnel - with RDP port forward active

Answered Question
Jul 24th, 2008
User Badges:

Hi,

I have a Site to site VPN (Site A - 10.0.0.x, Site B- 192.168.0.x) active and also need the requirement for port forwarding TCP 3389 to a Terminal Services Server from the outside.


I have the nat statement-


ip nat inside source static tcp 10.0.0.78 3389 interface dialer 0 3389


on side A and can now get in via the public(dialer 0) IP address straight to the server (10.0.0.78) I can also RDP to 10.0.0.78 from inside Site A but cannot RDP from Site B to 10.0.0.78


I can ping 10.0.0.78 fron site B and there is no firewall currently on the machine but it does not work.


As soon as I remove the Static NAT statement, I can RDP straight in from Site B (through the tunnel) to 10.0.0.78


Is there a way to set this up so both Remote (internet) clients can RDP to the server AND tunnel clients?


*note Tunnel clients can get on ok via the public IP if static nat is present.


thanks in advance.

Correct Answer by a.alekseev about 8 years 10 months ago

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map SSS

route-map SSS permit 10

match ip address SSS

ip access-list ext SSS

deny ip any remote-net

permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
markus6152 Thu, 07/24/2008 - 22:15
User Badges:

Not really possible as you will be translating the source address of anything from 10.0.0.78 tcp 3389 to the interface address of dialer 0.


The best way to do this is to have 2 ip addresses on the server...


Translate one for public access and have another that isn't translated for internal access


Correct Answer
a.alekseev Fri, 07/25/2008 - 00:47
User Badges:
  • Gold, 750 points or more

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map SSS

route-map SSS permit 10

match ip address SSS

ip access-list ext SSS

deny ip any remote-net

permit ip any any

cco4mike1 Sun, 07/27/2008 - 04:33
User Badges:

Thanks very much for both of your replys.


When using the - "deny ip any remote-net" command


I'm assuming the 'remote-net' is not a command but the ip range on the other side of the tunnel? ie. 192.168.0.0 0.0.0.255 ?


or the remote network's public ip address ?


regards,

os4mike

a.alekseev Sun, 07/27/2008 - 09:52
User Badges:
  • Gold, 750 points or more

Hi, Michael


the 'remote-net' is the ip range on the other side of the tunnel

Actions

This Discussion