Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
5
Replies

Cannot open RDP session through P2P tunnel - with RDP port forward active

Go to solution
cco4mike1
Level 1
Level 1

‎07-24-2008 04:02 PM

Hi,

I have a Site to site VPN (Site A - 10.0.0.x, Site B- 192.168.0.x) active and also need the requirement for port forwarding TCP 3389 to a Terminal Services Server from the outside.

I have the nat statement-

ip nat inside source static tcp 10.0.0.78 3389 interface dialer 0 3389

on side A and can now get in via the public(dialer 0) IP address straight to the server (10.0.0.78) I can also RDP to 10.0.0.78 from inside Site A but cannot RDP from Site B to 10.0.0.78

I can ping 10.0.0.78 fron site B and there is no firewall currently on the machine but it does not work.

As soon as I remove the Static NAT statement, I can RDP straight in from Site B (through the tunnel) to 10.0.0.78

Is there a way to set this up so both Remote (internet) clients can RDP to the server AND tunnel clients?

*note Tunnel clients can get on ok via the public IP if static nat is present.

thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.alekseev
Level 7
Level 7

‎07-25-2008 12:47 AM

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map SSS

route-map SSS permit 10

match ip address SSS

ip access-list ext SSS

deny ip any remote-net

permit ip any any

View solution in original post

0 Helpful
5 Replies 5

Go to solution
markus6152
Level 1
Level 1

‎07-24-2008 10:15 PM

Not really possible as you will be translating the source address of anything from 10.0.0.78 tcp 3389 to the interface address of dialer 0.

The best way to do this is to have 2 ip addresses on the server...

Translate one for public access and have another that isn't translated for internal access

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7

‎07-25-2008 12:47 AM

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map SSS

route-map SSS permit 10

match ip address SSS

ip access-list ext SSS

deny ip any remote-net

permit ip any any

0 Helpful

Go to solution
cco4mike1
Level 1
Level 1
In response to a.alekseev

‎07-27-2008 04:33 AM

Thanks very much for both of your replys.

When using the - "deny ip any remote-net" command

I'm assuming the 'remote-net' is not a command but the ip range on the other side of the tunnel? ie. 192.168.0.0 0.0.0.255 ?

or the remote network's public ip address ?

regards,

os4mike

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to cco4mike1

‎07-27-2008 09:52 AM

Hi, Michael

the 'remote-net' is the ip range on the other side of the tunnel

0 Helpful

Go to solution
cco4mike1
Level 1
Level 1
In response to a.alekseev

‎07-27-2008 09:04 PM

Thanks very, much, This worked a treat!

0 Helpful
Customers Also Viewed These Support Documents