04-29-2005 05:02 AM - edited 02-21-2020 01:44 PM
My RDP connections through VPN worked fine to my server before I added the ip nat inside source static tcp 192.168.0.6 3389 x.x.x.x 3389 extendable command to port foward external RDP connections to my server. What do I need to do so I can portfoward and still RDP while on VPN? Also I tried to get to a shared folder on the server and can't do that. I can ping it however.
Thanks
no logging buffered
enable secret
enable password
!
no aaa new-model
ip subnet-zero
ip name-server 24.25.161.3
ip name-server 24.25.161.1
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool CLIENT
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 24.25.161.3 24.25.161.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group
key
dns 192.168.0.6
domain nmaec.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip access-group 122 out
ip nat inside
ip tcp adjust-mss 1452
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address x.x.x.x 255.255.255.248
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
crypto map clientmap
!
interface FastEthernet1
no ip address
duplex half
speed auto
!
interface FastEthernet2
no ip address
duplex half
speed auto
!
interface FastEthernet3
no ip address
duplex half
speed auto
!
interface FastEthernet4
no ip address
duplex half
speed auto
!
router rip
redistribute connected
network 24.0.0.0
network 192.168.0.0
!
ip local pool ippool 192.168.1.100 192.168.1.110
ip default-gateway y.y.y.y
ip nat inside source route-map nonat interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.6 3389 x.x.x.x 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 y.y.y.y
ip http server
no ip http secure-server
!
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip any any
access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
no cdp run
route-map nonat permit 10
match ip address 103
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
login
length 0
!
scheduler max-task-time 5000
!
04-29-2005 06:12 AM
You might be able to solve this using the -route map-keyword in the configuration of the static translation.
I have found a URL that decribes how you can use this feature, it seems to be possible to have the translation done only for adresses matching the route map. I have never used it yet. Please let me know if it works out (or not)
Here is the URL:
Regards,
Leo
03-29-2006 01:54 PM
You have to bind a second IP to your server NIC and put your nat extendable on it.
04-01-2006 11:28 AM
I'm also trying to setup my 1811 to allow 3389 (xp remote assistance/desktop), although without VPN.
I contacted cisco, and received the the following recommended changes;
==========================
conf t
interface FastEthernet0
no ip nat outside
end
clear ip nat trans *
conf t
no ip nat inside source list 1 interface FastEthernet0 overload
access-list 111 deny tcp host 192.168.1.20 eq 3389 any
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
route-map NAT permit 10
match ip address 111
exit
ip nat inside source static 192.168.1.20 3389 <-PublicIpAddress-> 3389
extendable
ip nat inside source route-map NAT interface FastEthernet0 overload
interface FastEthernet0
ip nat outside
exit
===================================
I also remember reading somewhere that access lists referenced by NAT should not contain permit any.
I see that difference in your config, and also that you are not blocking your static nat in your nat overload.
If 192.168.0.6 starts the connection by sending out a packet from port 3389, then ip inspect cbac should take care of the related incoming packets, but what about a session starting from the outside. Shouldn't there be an acl entry for that ?
Matthew
04-03-2006 09:27 AM
I am pretty sure this will continue to operate if you remove the 111 deny command on port 3389 (but keep the rest). This is only use if you don' t want .20 to access Internet with port 3389.
I did have this issue with VPN fonctionality only. Cisco told me that it what related to the nated packet returning to internet instead of the VPN tunnel. So I had to bind a second address and nat on it. Original IP whas not affected to the VPN users continu to utilize the original address
Sylvain
04-04-2006 10:01 AM
bind an internal or external IP?
04-04-2006 11:26 AM
I asked cisco directly about the deny statement...
"The reason for blocking 192.168.1.20 port 3389 in ACL 111 is because of a best practice. It has been spotted that in some IOS versions the router "confuses" dynamic and static nat. It's not very common but on this case I'm using the best practice as a preventive configuration."
Even with that, I can still do 3389 from .20.
I assume the static nat line handles only 3389, so it can be blobked out of the overload line.
Matthew
04-23-2006 04:38 AM
Change your access-list to:
access-list 103 deny ip host x.x.x.x any
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip any any
x.x.x.x should be the IP-addres of your external (Ethernet1) interface. Since this is a public address already, the router shouldn't try to translate it again.
06-21-2006 04:49 AM
dkm60thjeep, did you ever get a solution to this problem as we have exactly the same issue
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: