NAT blocking VPN Traffic

Unanswered Question
Jul 9th, 2012
User Badges:


     I have a Cisco 2921 router.  I have a few IPSec site to site VPN's configured and a terminal server behind the 2921.  The problem I am experiencing is I also publish that terminal server to the internet.  When I have a NAT setup to allow access from externally, users on my VPNs can no longer connect via RDP to that server.  If I delete the NAT, then they can connect again.  How can I set it up so both work?

Here is the NAT command I am using (replacing IP's with generic):

ip nat inside source static tcp 3389 3389

If I have that command active, I can RDP in from externally, but VPN users cannot (they would be in the subnet). If I remove that command, my users behind the VPN can RDP fine, but obviously external users cannot.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Chris Coho Mon, 07/09/2012 - 12:41
User Badges:

I had searched a ton before posting this, and then with more searching I believe I have discovered the answer.  Using the following command:

ip nat inside source static udp 3389 33899 route-map USR_RMAT_NAT extendable

where my route map is denying internal subnets seems to have done the trick!

Hopefully this will assist anyone else with this issue (during my searches I found several similar questions with no answer).

Logan Kampsnider Mon, 09/24/2012 - 08:08
User Badges:

Thanks Chris for posting the solution, I was having the exact same issue. It's also worth noting that the "route-map ROUTEMAP_NAME extendable" command will be unavailable if you are referring to your outside interface as the destination host. An example would be...

ip nat inside source static tcp 3389 interface GigabitEthernet0/0 33899

You'll need to use the outside interface IP address instead.



This Discussion