09-11-2006 05:05 AM - edited 03-03-2019 01:57 PM
I have a problem which I have seen on several post and also this article.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
When I configure this as explained I am able to RDP from both external and via the VPN tunnel but I loose internet access from the server I am RDP too.
Below is relevant seconds of my config. I am on network 192.100.150.0/24 and remote is 192.168.0.0/24
ip nat inside source route-map InsideNAT interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.10 3389 217.37.253.100 3389 extendable
route-map AllowRDP permit 10
match ip address 150
!
route-map InsideNAT permit 10
match ip address 100
access-list 150 deny tcp host 192.168.0.10 eq 3389 192.100.150.0 0.0.0.255 eq 3389
access-list 150 permit ip host 192.168.0.10 any
access-list 100 remark SDM_ACL Category=18
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.100.150.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
What I tried was...
ip nat inside source static tcp 192.168.0.10 3389 217.37.253.100 3389 route-map AllowRDP extendable instead of above as I understand static NAT to take precedence.
I don't understand why I can't access the internet from the machine I am RDPing too. Without the route-map AllowRDP it works great.
Solved! Go to Solution.
09-12-2006 02:39 PM
Bob,
I believe I know what the problem is.
When you don't use the route-map, the static nat only checks for packet with source port 3389 and it translates it to the external IP. Other ports falls under the InsideNAT route-map.
When you use the route-map AllowRDP, you are matching all ip packets from 192.168.0.10 to any host and then you are trying to NAT it within static nat statement which allows only port 3389.
For this to work with the route-map, you need to do the following:
Either do a static nat with all ports included
or
have this command in acl 150
access-list 150 deny tcp host 192.168.0.10 eq 3389 192.100.150.0 0.0.0.255 eq 3389
access-list 150 permit tcp host 192.168.0.10 eq 3389 any 3389
The rest of the packets will match ACL 100.
______
Please rate helpful posts.
Thanks
09-11-2006 05:56 AM
Can you post a debug from that route-map ?
09-11-2006 06:15 AM
How do I get that output? Thanks
09-11-2006 06:33 AM
#debug ip packet 150 detail
09-11-2006 07:28 AM
I get this from term mon with debug on with the static translation with route-map AllowRDP appended to the end (no internet when this is on)
*Mar 14 01:33:26.254: IP: s=192.168.0.10 (local), d=66.249.93.147 (FastEthernet4), len 40, sending
*Mar 14 01:33:26.254: TCP src=2290, dst=80, seq=3048191981, ack=0, win=0 RST
*Mar 14 01:33:31.366: IP: tableid=0, s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), routed via RIB
*Mar 14 01:33:31.366: IP: s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), len 78, rcvd 3
*Mar 14 01:33:31.366: UDP src=137, dst=137
*Mar 14 01:33:32.118: IP: tableid=0, s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), routed via RIB
*Mar 14 01:33:32.118: IP: s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), len 78, rcvd 3
*Mar 14 01:33:32.118: UDP src=137, dst=137
*Mar 14 01:33:32.866: IP: tableid=0, s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), routed via RIB
*Mar 14 01:33:32.866: IP: s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), len 78, rcvd 3
*Mar 14 01:33:32.866: UDP src=137, dst=137
09-11-2006 09:51 AM
According to
*Mar 14 01:33:26.254: IP: s=192.168.0.10 (local), d=66.249.93.147 (FastEthernet4), len 40, sending
*Mar 14 01:33:26.254: TCP src=2290, dst=80, seq=3048191981, ack=0, win=0 RST
The packet is being sent. Can you post the
show ip nat trans
Also, you only lose internet for 0.10 device and not the rest, correct ?
09-12-2006 05:15 AM
I checked and no translations appeared when it was failing to connect to the web. I'm not locally on the site but I would have thought it's just the .10 that cant connect.
09-12-2006 06:58 AM
So the overlad and static translation do not show up while typing 'show ip nat trans' ?
That's really strange.
Can you verify when you get to the site ?
09-12-2006 12:52 PM
Hi sorry yes it does show the statics, what I mean't was no new translations were added. I have these (when connected via RDP).
Pro Inside global Inside local Outside local Outside global
tcp 217.37.253.100:3389 192.168.0.10:3389 81.178.198.219:2202 81.178.198.219:2202
tcp 217.37.253.100:3389 192.168.0.10:3389 --- ---
09-12-2006 02:39 PM
Bob,
I believe I know what the problem is.
When you don't use the route-map, the static nat only checks for packet with source port 3389 and it translates it to the external IP. Other ports falls under the InsideNAT route-map.
When you use the route-map AllowRDP, you are matching all ip packets from 192.168.0.10 to any host and then you are trying to NAT it within static nat statement which allows only port 3389.
For this to work with the route-map, you need to do the following:
Either do a static nat with all ports included
or
have this command in acl 150
access-list 150 deny tcp host 192.168.0.10 eq 3389 192.100.150.0 0.0.0.255 eq 3389
access-list 150 permit tcp host 192.168.0.10 eq 3389 any 3389
The rest of the packets will match ACL 100.
______
Please rate helpful posts.
Thanks
09-13-2006 12:37 AM
thanks you very much - it now works via static NAT and VPN.
The appended route-map now makes sense!
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide