Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1428
Views
0
Helpful
2
Replies

Simultaneous rdp connection via VPN client and WAN

m.henssen
Level 1
Level 1

‎07-26-2010 09:12 AM - edited ‎03-04-2019 09:11 AM

Hello,

My customer connects from his laptop to his cisco 876 using the cisco VPN client. He then starts a rdp session to the server. Now I want to connect to the same server via the WAN link. I followed this cisco document: Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static. But for some reasen when I add the line: ip nat inside source static 192.168.37.2 x.x.64.44 route-map RMAP the vpn cannot be established ( i'm not asked for the password), but I can then access the server via the WAN link over port 3389. In this line the 192.168.37.2 is the server, the x.x.64.44 is the WAN address. With the access list 110 this line should not nat the vpn 'rdp traffic' but nat the rdp traffice to my office.

Here is the configuration

interface Dialer1

ip address negotiated

ip access-group WANFilterInbound in

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username b@xs4all.nl password 7 105D1D1008071B0E5E

crypto map VPN-Map

!

interface Dialer0

no ip address

shutdown

no cdp enable

!

interface BVI1

ip address 192.168.37.20 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool B_POOL_1 10.10.38.1 10.10.38.10

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 150 interface Dialer1 overload

ip nat inside source static tcp 192.168.37.2 25 interface Dialer1 25

ip nat inside source static tcp 192.168.37.2 443 interface Dialer1 443

ip nat inside source static tcp 192.168.37.2 80 interface Dialer1 80

!

ip access-list extended WANFilterInbound

permit ip 10.10.38.1 0.0.0.255 any

permit ahp any any

permit esp any any

permit udp any any eq domain

permit udp any eq domain any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp x.x.229.0 0.0.0.255 any eq 3389

permit tcp 10.10.38.0 0.0.0.255 any eq 3389

permit tcp any any eq smtp

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit udp any any eq ntp

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

!

access-list 110 deny   tcp host 192.168.37.2 10.10.38.0 0.0.0.255 eq 3389

access-list 110 permit tcp host 192.168.37.2 any eq 3389

access-list 150 deny   ip 192.168.37.0 0.0.0.255 10.10.38.0 0.0.0.255

access-list 150 permit ip 192.168.37.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map RMAP permit 10

match ip address 110

!

So the error I think must be in the access-list 110. 192.168.37.0/24 is the LAN, 10.10.38.0/24 is the vpn pool.

Any help is appreciated,

regards

Marc Henssen

Labels:
0 Helpful
2 Replies 2

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-26-2010 06:19 PM

Hello,

The access-list 110 is incorrect.

access-list 110 deny   tcp host 192.168.37.2 10.10.38.0 0.0.0.255 eq 3389

access-list 110 permit tcp host 192.168.37.2 any eq 3389


In here you are saying that traffic from 192.168.37.2 (any port) to 10.10.38.0 subnet on port 3389 should be excempted from NAT rule. The correct format would be:

access-list 110 deny   tcp host 192.168.37.2 eq 3389 10.10.38.0 0.0.0.255

access-list 110 permit tcp host 192.168.37.2 eq 3389 any

That should fix the issue.

Hope this helps.

Regards,

NT

0 Helpful

m.henssen
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-29-2010 11:44 AM

Hello Nagaraja,

Thanks for your quick response, took me some days to test it.

You were absolutely right about the access list, messed up the 'ip nat inside' syntax with the access-list syntax, thanks for your answer.

The problem is still there as soon as I insert the line :  ip nat inside source static 192.168.37.2 x.x.64.44 route-map RMAP the vpn cannot be established ( i'm not asked for the password), looks like some traffic is blocked. RDP from the WAN side works fine.

So what the problem is:

if i use ip nat inside source static tcp 192.168.27.2 3389 interface Dialer1 3389  then rdp from the WAN works fine, but rdp trafice over the VPN connection is send out to the internet. So what I need is a conditional NAT translation. I thought I can use the

ip nat inside source static 192.168.37.2 x.x.64.44 route-map RMAP line with

route-map RMAP permit 10

match ip address 110

access-list 110 deny   tcp host 192.168.37.2 eq 3389 10.10.38.0 0.0.0.255

access-list 110 permit tcp host 192.168.37.2 eq 3389 any

I cannot understand how the 'ipnat inside ....RMAP'  line can influence the VPN traffic as it only translates traffic from the ouside address to the 192.168.37.2 and back on port 3389.

Can anybody help?

regards

Marc

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card