Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec site-2-site VPN and Static PAT issue

Hi Guys,

We are having pretty weird issue and I am wondering if you could help me with this one.

We have two routers running 12.4-15. Policy based IPSEC VPN between them.

We have an user 192.168.8.254 on Site A and a server 192.168.9.10 on Site B. ICMP works perfectly we can ping on both directions - IPSEC looks good but we cannot RDP between them on TCP port 3389. There is no ACL applied on any interfaces.

When I am trying to RDP from a host on site A and issue a command show ip nat translation on a router on Site B I get this:

tcp 203.45.X.X:3389   192.168.9.10:3389     192.168.8.254:45058   192.168.8.254:45058

tcp 203.45.X.X:3389   192.168.9.10:3389     ---                   ---

When I disable a static PAT entry:

no ip nat inside source static tcp 192.168.9.10 3389 interface Dialer1 3389

it works GOOD and i dont see any dynamic PAT entries in the nat table any more.

Is this a normal behaviour? Why packets got natted when they arrive from an IPSEC peer on external interface?

There is NAT excepmtion access-lists on the router B by the way

ip nat inside source route-map nonat interface Dialer1 overload

route-map nonat permit 10

match ip address 123

access-list 123 deny   ip host 192.168.9.100 any

access-list 123 deny   ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 123 permit ip 192.168.9.0 0.0.0.255 any

I believe the issue is that there is no exception for a static pat traffic this is why it gets natted on the way back, I have no idea what's workaround.

1 REPLY
New Member

Re: ipsec site-2-site VPN and Static PAT issue

134
Views
0
Helpful
1
Replies
CreatePlease login to create content