Hi Guys,
We are having pretty weird issue and I am wondering if you could help me with this one.
We have two routers running 12.4-15. Policy based IPSEC VPN between them.
We have an user 192.168.8.254 on Site A and a server 192.168.9.10 on Site B. ICMP works perfectly we can ping on both directions - IPSEC looks good but we cannot RDP between them on TCP port 3389. There is no ACL applied on any interfaces.
When I am trying to RDP from a host on site A and issue a command show ip nat translation on a router on Site B I get this:
tcp 203.45.X.X:3389 192.168.9.10:3389 192.168.8.254:45058 192.168.8.254:45058
tcp 203.45.X.X:3389 192.168.9.10:3389 --- ---
When I disable a static PAT entry:
no ip nat inside source static tcp 192.168.9.10 3389 interface Dialer1 3389
it works GOOD and i dont see any dynamic PAT entries in the nat table any more.
Is this a normal behaviour? Why packets got natted when they arrive from an IPSEC peer on external interface?
There is NAT excepmtion access-lists on the router B by the way
ip nat inside source route-map nonat interface Dialer1 overload
route-map nonat permit 10
match ip address 123
access-list 123 deny ip host 192.168.9.100 any
access-list 123 deny ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 123 permit ip 192.168.9.0 0.0.0.255 any
I believe the issue is that there is no exception for a static pat traffic this is why it gets natted on the way back, I have no idea what's workaround.