Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN with NAT and Port Forwarding on an 871

Hi,

Could someone please look at the attached 871 router config and tell me where I am going wrong!

The VPNs all work, port forwarding works BUT anyone who tries to connect to a forwarded port across the VPN fails.

In the attached config Port 3389 (RDP) is being forwarded to an internal server, if you connect to the external interface from the internet the connection is made and works ok, but if someone tries to connect to the internal IP of that same server across the VPN it does not work.

We have added commands to stop NAT working on the VPN lines but these do not appear to be working.

What am I missing?

Thank you in advance and I will vote on all helpfull answers.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Site-to-Site VPN with NAT and Port Forwarding on an 871

This is a common problem. Yes you've added commands to stop NAT from working over the tunnel, but your nat port static for port 3389 takes precedence over the generic nat command, and it does not have any commands on it to stop it being nat'd over the tunnel.

I wrote up a sample config for this a while back, see here for details:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Hopefully it explains everything. Note that it is for a general host static command, not a port static like you have, but the concept is exactly the same. Simply add a route-map statement onto the end of your port static command, and that route-map will reference an ACL that denies it from being used when going back over the tunnel.

2 REPLIES
Cisco Employee

Re: Site-to-Site VPN with NAT and Port Forwarding on an 871

This is a common problem. Yes you've added commands to stop NAT from working over the tunnel, but your nat port static for port 3389 takes precedence over the generic nat command, and it does not have any commands on it to stop it being nat'd over the tunnel.

I wrote up a sample config for this a while back, see here for details:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Hopefully it explains everything. Note that it is for a general host static command, not a port static like you have, but the concept is exactly the same. Simply add a route-map statement onto the end of your port static command, and that route-map will reference an ACL that denies it from being used when going back over the tunnel.

New Member

Re: Site-to-Site VPN with NAT and Port Forwarding on an 871

That fixed it!

You are a star =:)

Thank you.

184
Views
0
Helpful
2
Replies
CreatePlease to create content