Hi Guys,

We are having pretty weird issue and I am wondering if you could help me with this one.

We have two routers running 12.4-15. Policy based IPSEC VPN between them.

We have an user 192.168.8.254 on Site A and a server 192.168.9.10 on Site B. ICMP works perfectly we can ping on both directions - IPSEC looks good but we cannot RDP between them on TCP port 3389. There is no ACL applied on any interfaces.

When I am trying to RDP from a host on site A and issue a command show ip nat translation on a router on Site B I get this:

tcp 203.45.X.X:3389   192.168.9.10:3389     192.168.8.254:45058   192.168.8.254:45058

tcp 203.45.X.X:3389   192.168.9.10:3389     ---                   ---

When I disable a static PAT entry:

no ip nat inside source static tcp 192.168.9.10 3389 interface Dialer1 3389

it works GOOD and i dont see any dynamic PAT entries in the nat table any more.

Is this a normal behaviour? Why packets got natted when they arrive from an IPSEC peer on external interface?

There is NAT excepmtion access-lists on the router B by the way

ip nat inside source route-map nonat interface Dialer1 overload

route-map nonat permit 10

match ip address 123

access-list 123 deny   ip host 192.168.9.100 any

access-list 123 deny   ip 192.168.9.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 123 permit ip 192.168.9.0 0.0.0.255 any

I believe the issue is that there is no exception for a static pat traffic this is why it gets natted on the way back, I have no idea what's workaround.