10-26-2010 07:55 PM - edited 03-06-2019 01:45 PM
Hi all,
I am using a cisco1841 router.
I specify a static NAT for one of my servers as below and is able to access the below server from external using remote desktop
ip nat inside source static tcp 192.168.91.1 3389 1.1.1.1 3389 extendable
I also enable remote access vpn on my cisco1841.
I am able to access other services on my 192.168.91.1 server after establishing my vpn connection except tcp port 3389(remote desktop).
If i remove the static NAT for port 3389 for this server, i would be able to access it at port 3389 after my vpn connection.
Why is this so? Pls advise. Thks in advance.
Below is other config found in my 1841. Pls note the 1st deny statement in my accesslist 110 is to enable NAT exemption for traffic from my internal to vpn ip(10.0.0.0/8)
access-list 100 permit tcp any host 1.1.1.1 eq 3389
interface Dialer
mtu 1492
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
crypto map VPN
ip nat inside source route-map nonat interface Dialer overload
access-list 110 deny ip 192.168.91.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 192.168.91.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
Solved! Go to Solution.
10-27-2010 08:47 AM
Hi,
1. NAT happens before crypto
2. Static NAT takes precendence over generic NAT
See the document at
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtmlTry this config. I have not tested it.
access-list 110 deny ip host 192.168.91.1 10.0.0.0 0.255.255.255
access-list 110 permit ip host 192.168.91.1 any
route-map No_NAT permit 10
match ip address 110
ip nat inside source static tcp 192.168.91.1 3389 1.1.1.1 3389 route-map No_NAT
access-list 120 deny ip 192.168.91.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip 192.168.91.1 0.0.0.255 any
ip nat inside source list 120 interface Dialer overload
10-27-2010 08:47 AM
Hi,
1. NAT happens before crypto
2. Static NAT takes precendence over generic NAT
See the document at
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtmlTry this config. I have not tested it.
access-list 110 deny ip host 192.168.91.1 10.0.0.0 0.255.255.255
access-list 110 permit ip host 192.168.91.1 any
route-map No_NAT permit 10
match ip address 110
ip nat inside source static tcp 192.168.91.1 3389 1.1.1.1 3389 route-map No_NAT
access-list 120 deny ip 192.168.91.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip 192.168.91.1 0.0.0.255 any
ip nat inside source list 120 interface Dialer overload
10-27-2010 11:08 PM
Hi nassar,
My problem is resolved base on your solution. Thk you.
10-28-2010 07:52 AM
Glad to hear that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide