Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
3
Replies

Static NAT issue

Go to solution
donnie
Level 1
Level 1

‎10-26-2010 07:55 PM - edited ‎03-06-2019 01:45 PM

Hi all,

I am using a cisco1841 router.

I specify a static NAT for one of my servers as below and is able to access the below server from external using remote desktop

ip nat inside source static tcp 192.168.91.1 3389 1.1.1.1 3389 extendable

I also enable remote access vpn on my cisco1841.

I am able to access other services on my 192.168.91.1 server after establishing my vpn connection except tcp port 3389(remote desktop).

If i remove the static NAT for port 3389 for this server, i would be able to access it at port 3389 after my vpn connection.

Why is this so? Pls advise. Thks in advance.

Below is other config found in my 1841. Pls note the 1st deny statement in my accesslist 110 is to enable NAT exemption for traffic from my internal to vpn ip(10.0.0.0/8)

access-list 100 permit tcp any host 1.1.1.1 eq 3389

interface Dialer
mtu 1492
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable

crypto map VPN

ip nat inside source route-map nonat interface Dialer overload

access-list 110 deny   ip 192.168.91.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 192.168.91.0 0.0.0.255 any

route-map nonat permit 10
match ip address 110

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
java-1234
Level 1
Level 1

‎10-27-2010 08:47 AM

Hi,


1. NAT happens before crypto

2. Static NAT takes precendence over generic NAT


See the document at
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtmlTry this config. I have not tested it.

access-list 110 deny ip host 192.168.91.1 10.0.0.0 0.255.255.255
access-list 110 permit ip host 192.168.91.1 any

route-map No_NAT permit 10
match ip address 110

ip nat inside source static tcp 192.168.91.1 3389 1.1.1.1 3389 route-map No_NAT


access-list 120 deny ip 192.168.91.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip 192.168.91.1 0.0.0.255 any

ip nat inside source list 120 interface Dialer overload

View solution in original post

0 Helpful
3 Replies 3

Go to solution
java-1234
Level 1
Level 1

‎10-27-2010 08:47 AM

Hi,


1. NAT happens before crypto

2. Static NAT takes precendence over generic NAT


See the document at
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtmlTry this config. I have not tested it.

access-list 110 deny ip host 192.168.91.1 10.0.0.0 0.255.255.255
access-list 110 permit ip host 192.168.91.1 any

route-map No_NAT permit 10
match ip address 110

ip nat inside source static tcp 192.168.91.1 3389 1.1.1.1 3389 route-map No_NAT


access-list 120 deny ip 192.168.91.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip 192.168.91.1 0.0.0.255 any

ip nat inside source list 120 interface Dialer overload

0 Helpful

Go to solution
donnie
Level 1
Level 1
In response to java-1234

‎10-27-2010 11:08 PM

Hi nassar,

My problem is resolved base on your solution. Thk you.

0 Helpful

Go to solution
java-1234
Level 1
Level 1
In response to donnie

‎10-28-2010 07:52 AM

Glad to hear that.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card