Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec site-2-site VPN and Static PAT issue

Hi Guys,

We are having pretty weird issue and I am wondering if you could help me with this one.

We have two routers running 12.4-15. Policy based IPSEC VPN between them.

We have an user on Site A and a server on Site B. ICMP works perfectly we can ping on both directions - IPSEC looks good but we cannot RDP between them on TCP port 3389. There is no ACL applied on any interfaces.

When I am trying to RDP from a host on site A and issue a command show ip nat translation on a router on Site B I get this:

tcp 203.45.X.X:3389

tcp 203.45.X.X:3389     ---                   ---

When I disable a static PAT entry:

no ip nat inside source static tcp 3389 interface Dialer1 3389

it works GOOD and i dont see any dynamic PAT entries in the nat table any more.

Is this a normal behaviour? Why packets got natted when they arrive from an IPSEC peer on external interface?

There is NAT excepmtion access-lists on the router B by the way

ip nat inside source route-map nonat interface Dialer1 overload

route-map nonat permit 10

match ip address 123

access-list 123 deny   ip host any

access-list 123 deny   ip

access-list 123 permit ip any

I believe the issue is that there is no exception for a static pat traffic this is why it gets natted on the way back, I have no idea what's workaround.

New Member

Re: ipsec site-2-site VPN and Static PAT issue

CreatePlease login to create content