Port forwarding 3389 to my server messed up my VPN

dkm60thjeep · ‎04-29-2005

My RDP connections through VPN worked fine to my server before I added the ip nat inside source static tcp 192.168.0.6 3389 x.x.x.x 3389 extendable command to port foward external RDP connections to my server. What do I need to do so I can portfoward and still RDP while on VPN? Also I tried to get to a shared folder on the server and can't do that. I can ping it however.

Thanks

no logging buffered

enable secret

enable password

!

no aaa new-model

ip subnet-zero

ip name-server 24.25.161.3

ip name-server 24.25.161.1

ip dhcp excluded-address 192.168.0.1

!

ip dhcp pool CLIENT

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 24.25.161.3 24.25.161.1

lease 0 2

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group

key

dns 192.168.0.6

domain nmaec.com

pool ippool

acl 108

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip access-group 122 out

ip nat inside

ip tcp adjust-mss 1452

no cdp enable

hold-queue 32 in

!

interface Ethernet1

ip address x.x.x.x 255.255.255.248

ip access-group 111 in

ip nat outside

ip inspect myfw out

duplex auto

no cdp enable

crypto map clientmap

!

interface FastEthernet1

no ip address

duplex half

speed auto

!

interface FastEthernet2

no ip address

duplex half

speed auto

!

interface FastEthernet3

no ip address

duplex half

speed auto

!

interface FastEthernet4

no ip address

duplex half

speed auto

!

router rip

redistribute connected

network 24.0.0.0

network 192.168.0.0

!

ip local pool ippool 192.168.1.100 192.168.1.110

ip default-gateway y.y.y.y

ip nat inside source route-map nonat interface Ethernet1 overload

ip nat inside source static tcp 192.168.0.6 3389 x.x.x.x 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 y.y.y.y

ip http server

no ip http secure-server

!

access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 permit ip any any

access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 permit tcp any any eq telnet

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 122 deny tcp any any eq telnet

access-list 122 permit ip any any

no cdp run

route-map nonat permit 10

match ip address 103

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 120 0

login

length 0

!

scheduler max-task-time 5000

!

lgijssel · ‎04-29-2005

You might be able to solve this using the -route map-keyword in the configuration of the static translation.

I have found a URL that decribes how you can use this feature, it seems to be possible to have the translation done only for adresses matching the route map. I have never used it yet. Please let me know if it works out (or not)

Here is the URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bac.html#52760

Regards,

Leo

infocis · ‎03-29-2006

You have to bind a second IP to your server NIC and put your nat extendable on it.

tebbens · ‎04-01-2006

I'm also trying to setup my 1811 to allow 3389 (xp remote assistance/desktop), although without VPN.

I contacted cisco, and received the the following recommended changes;

==========================

conf t

interface FastEthernet0

no ip nat outside

end

clear ip nat trans *

conf t

no ip nat inside source list 1 interface FastEthernet0 overload

access-list 111 deny tcp host 192.168.1.20 eq 3389 any

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

route-map NAT permit 10

match ip address 111

exit

ip nat inside source static 192.168.1.20 3389 <-PublicIpAddress-> 3389

extendable

ip nat inside source route-map NAT interface FastEthernet0 overload

interface FastEthernet0

ip nat outside

exit

===================================

I also remember reading somewhere that access lists referenced by NAT should not contain permit any.

I see that difference in your config, and also that you are not blocking your static nat in your nat overload.

If 192.168.0.6 starts the connection by sending out a packet from port 3389, then ip inspect cbac should take care of the related incoming packets, but what about a session starting from the outside. Shouldn't there be an acl entry for that ?

Matthew

infocis · ‎04-03-2006

I am pretty sure this will continue to operate if you remove the 111 deny command on port 3389 (but keep the rest). This is only use if you don' t want .20 to access Internet with port 3389.

I did have this issue with VPN fonctionality only. Cisco told me that it what related to the nated packet returning to internet instead of the VPN tunnel. So I had to bind a second address and nat on it. Original IP whas not affected to the VPN users continu to utilize the original address

Sylvain

dkm60thjeep · ‎04-04-2006

bind an internal or external IP?

tebbens · ‎04-04-2006

I asked cisco directly about the deny statement...

"The reason for blocking 192.168.1.20 port 3389 in ACL 111 is because of a best practice. It has been spotted that in some IOS versions the router "confuses" dynamic and static nat. It's not very common but on this case I'm using the best practice as a preventive configuration."

Even with that, I can still do 3389 from .20.

I assume the static nat line handles only 3389, so it can be blobked out of the overload line.

Matthew

r.vdoever · ‎04-23-2006

Change your access-list to:

access-list 103 deny ip host x.x.x.x any

access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 103 permit ip any any

x.x.x.x should be the IP-addres of your external (Ethernet1) interface. Since this is a public address already, the router shouldn't try to translate it again.

MarkDonne · ‎06-21-2006

dkm60thjeep, did you ever get a solution to this problem as we have exactly the same issue