Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

can't RDP to branch server

Dear all,

here's the scenarios.

1) I have a branch site with multiple public IP

2) one of the server need to be access from other branch as well (VPN tunnel established)

3) its a cisco router


interface FastEthernet0/0

description outside

ip address x.x.x.3

ip nat outside

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

crypto map vpn


ip nat inside source static x.x.x.4


ip route x.x.x.1



- tunnel from branch to branch is already established

- I can access to the server RDP using public ip x.x.x.4

- but user from other branch couldnt ping or RDP to this server using

  • VPN
Everyone's tags (2)
VIP Purple

Re: can't RDP to branch server

Your problem comes from the fact that both native and VPN traffic flows over the same NAT-enabled interface. So your NAT-statement matches also on the VPN-traffic. There are two solutions to solve that problem:

1) Migrate to VTIs. With these you have an IPSec-Interface where you don't need to enable NAT. For that, the other end also has to be an IOS-router.
2) Extend your NAT-statement with a route-map. In that route-map you specify an ACL that has deny-statements for the VPN-traffic and the traffic won't be NATted any more when flowing through the VPN.

Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor:
New Member

can't RDP to branch server

hi karsten,

thanks for your reply.

u mean this?

i already configured this in the router.

ip nat pool test x.x.x.3 x.x.x.4 netmask

ip nat inside source route-map nonat pool test overload


access-list 120 deny   ip

access-list 120 deny   ip

access-list 120 permit ip any


route-map nonat permit 30

match ip address 120