Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT blocking VPN Traffic


     I have a Cisco 2921 router.  I have a few IPSec site to site VPN's configured and a terminal server behind the 2921.  The problem I am experiencing is I also publish that terminal server to the internet.  When I have a NAT setup to allow access from externally, users on my VPNs can no longer connect via RDP to that server.  If I delete the NAT, then they can connect again.  How can I set it up so both work?

Here is the NAT command I am using (replacing IP's with generic):

ip nat inside source static tcp 3389 3389

If I have that command active, I can RDP in from externally, but VPN users cannot (they would be in the subnet). If I remove that command, my users behind the VPN can RDP fine, but obviously external users cannot.


New Member

NAT blocking VPN Traffic

I had searched a ton before posting this, and then with more searching I believe I have discovered the answer.  Using the following command:

ip nat inside source static udp 3389 33899 route-map USR_RMAT_NAT extendable

where my route map is denying internal subnets seems to have done the trick!

Hopefully this will assist anyone else with this issue (during my searches I found several similar questions with no answer).

New Member

NAT blocking VPN Traffic

Thanks Chris for posting the solution, I was having the exact same issue. It's also worth noting that the "route-map ROUTEMAP_NAME extendable" command will be unavailable if you are referring to your outside interface as the destination host. An example would be...

ip nat inside source static tcp 3389 interface GigabitEthernet0/0 33899

You'll need to use the outside interface IP address instead.