Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

can't RDP to branch server

Dear all,

here's the scenarios.

1) I have a branch site with multiple public IP

2) one of the server need to be access from other branch as well (VPN tunnel established)

3) its a cisco router

!

interface FastEthernet0/0

description outside

ip address x.x.x.3 255.255.255.248

ip nat outside

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

crypto map vpn

!

ip nat inside source static 192.168.1.100 x.x.x.4

!

ip route 0.0.0.0 0.0.0.0 x.x.x.1

!

remarks

- tunnel from branch to branch is already established

- I can access to the server RDP using public ip x.x.x.4

- but user from other branch couldnt ping or RDP to this server using 192.168.1.100

  • VPN
Everyone's tags (2)
2 REPLIES
VIP Purple

Re: can't RDP to branch server

Your problem comes from the fact that both native and VPN traffic flows over the same NAT-enabled interface. So your NAT-statement matches also on the VPN-traffic. There are two solutions to solve that problem:

1) Migrate to VTIs. With these you have an IPSec-Interface where you don't need to enable NAT. For that, the other end also has to be an IOS-router.
2) Extend your NAT-statement with a route-map. In that route-map you specify an ACL that has deny-statements for the VPN-traffic and the traffic won't be NATted any more when flowing through the VPN.


Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

can't RDP to branch server

hi karsten,

thanks for your reply.

u mean this?

i already configured this in the router.

ip nat pool test x.x.x.3 x.x.x.4 netmask 255.255.255.248

ip nat inside source route-map nonat pool test overload

!

access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 30

match ip address 120

!

153
Views
0
Helpful
2
Replies