jasonmichel
asked on
RDP through VPN tunnel
I have a server at a remote site of which we have a Ipsec tunnel set up with them. I can RDP into any server there except for this new one we set up.. This is a server i set up a NAT statement to allow a remote vendor rdp directly to that box..i also added my house to the list to test.. I can RDP into the WAN ip just fine from my home and it takes me to that server fine. However, if i am at work, where i have the tunnel set up i can't rdp to it.. i can ping it fine..can't remote in though..but i can remote to other servers at the same site. i'm posting my config..maybe i'm missing something
Current configuration : 9993 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname COB_WAN
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication login USER_VPN group radius
aaa authorization network GROUP_VPN local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name cityofbellevue.com
ip name-server 10.1.1.10
ip name-server 10.1.1.9
ip name-server 65.24.0.168
ip name-server 65.24.0.169
ip name-server 24.29.161.129
ip name-server 24.29.161.137
!
!
!
!
<cut>
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key MW_COBVPNTunnel address 75.13.63.69 no-xauth
crypto isakmp key REC_VPNTunnel address 216.207.224.5 no-xauth
crypto isakmp key FD_VPNTunnel address 216.207.224.2 no-xauth
crypto isakmp key WAT_VPNTunnel address 216.207.224.3 no-xauth
crypto isakmp key POL_VPNTunnel address 216.207.224.4 no-xauth
crypto isakmp key q6dxfc5q6dxfc5 address 216.207.224.6 no-xauth
crypto isakmp key q6dxfc5q6dxfc5 address 74.218.83.254 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15
!
crypto isakmp client configuration group COBVPN
key COBvpn
dns 10.1.1.10 10.1.1.9
wins 10.1.1.10
pool VPN_POOL
acl ADMIN-VPN
netmask 255.255.255.0
!
crypto isakmp client configuration group GROUP_VPN
!
crypto isakmp client configuration group CODYVPN
key COBCodyVPN
dns 10.1.1.9
wins 10.1.1.10
pool CODY_VPN_POOL
acl CODY-VPN
netmask 255.255.255.0
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
set transform-set 3DES
reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
description Tunnel to MW
set peer 75.13.63.69
set transform-set 3DES
match address COB2MW
crypto map VPN 15 ipsec-isakmp
description Tunnel to REC
set peer 216.207.224.5
set transform-set 3DES
match address COB2REC
crypto map VPN 20 ipsec-isakmp
description Tunnel to FD
set peer 216.207.224.2
set transform-set 3DES
match address COB2FD
crypto map VPN 30 ipsec-isakmp
description Tunnel to Water
set peer 216.207.224.3
set transform-set 3DES
match address COB2WATER
crypto map VPN 40 ipsec-isakmp
description Tunnel to Pollution Control
set peer 216.207.224.4
set transform-set 3DES
match address COB2POL
crypto map VPN 60 ipsec-isakmp
description Tunnel to HC Jail
set peer 216.207.224.6
set transform-set 3DES
match address COB2HCJAIL
crypto map VPN 70 ipsec-isakmp
description Tunnel To SC Jail
set peer 74.218.83.254
set transform-set 3DES
match address COB2SCJAIL
crypto map VPN 65000 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/0
description WAN
ip address 70.62.43.146 255.255.255.248 secondary
ip address 70.62.43.150 255.255.255.248
ip access-group inet-in in
ip access-group FWOUT out
ip accounting output-packets
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VPN
!
interface GigabitEthernet0/1
description LAN
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
ip route-cache flow
duplex auto
speed auto
!
ip local pool VPN_POOL 10.100.100.1 10.100.100.254
ip local pool CODY_VPN_POOL 10.101.101.1 10.101.101.254
ip classless
ip route 0.0.0.0 0.0.0.0 70.62.43.145
ip route 64.128.51.0 255.255.255.0 10.1.1.12
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 68.236.126.229 2055
!
no ip http server
no ip http secure-server
ip nat pool PAT 70.62.43.146 70.62.43.146 netmask 255.255.255.248
ip nat inside source route-map NAT pool PAT overload
ip nat inside source static tcp 10.1.1.80 23 70.62.43.150 23 extendable
ip nat inside source static tcp 10.1.1.10 25 70.62.43.150 25 extendable
ip nat inside source static tcp 10.1.1.10 80 70.62.43.150 80 extendable
ip nat inside source static tcp 10.1.1.10 110 70.62.43.150 110 extendable
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 extendable
ip nat inside source static tcp 10.1.1.164 5635 70.62.43.150 5635 extendable
ip nat inside source static udp 10.1.1.164 5635 70.62.43.150 5635 extendable
ip nat inside source static tcp 10.1.1.3 5659 70.62.43.150 5659 extendable
ip nat inside source static udp 10.1.1.3 5660 70.62.43.150 5660 extendable
ip nat inside source static tcp 10.1.1.10 5665 70.62.43.150 5665 extendable
ip nat inside source static udp 10.1.1.10 5666 70.62.43.150 5666 extendable
ip nat inside source static tcp 10.1.1.9 5669 70.62.43.150 5669 extendable
ip nat inside source static udp 10.1.1.9 5670 70.62.43.150 5670 extendable
ip nat inside source static tcp 10.1.1.5 5671 70.62.43.150 5671 extendable
ip nat inside source static udp 10.1.1.5 5672 70.62.43.150 5672 extendable
!
ip access-list extended ADMIN-VPN
remark Access for Admin VPN group
permit ip 10.1.1.0 0.0.0.255 10.100.100.0 0.0.0.255
ip access-list extended COB2FD
remark COB VPN to FD
permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255
ip access-list extended COB2HCJAIL
remark COB VPN to Huron County Jail
permit ip 10.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended COB2MW
remark COB VPN to MW
permit ip 10.1.1.0 0.0.0.255 192.168.57.0 0.0.0.255
ip access-list extended COB2POL
remark COB VPN to Pollution Control
permit ip 10.1.1.0 0.0.0.255 10.1.9.0 0.0.0.255
ip access-list extended COB2REC
remark COB VPN to REC
permit ip 10.1.1.0 0.0.0.255 10.1.7.0 0.0.0.255
ip access-list extended COB2SCJAIL
remark COB VPN to Sandusky Country Jail
permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255
ip access-list extended COB2WATER
remark COB VPN to Water
permit ip 10.1.1.0 0.0.0.255 10.1.11.0 0.0.0.255
ip access-list extended CODY-VPN
permit ip host 10.1.1.9 0.0.0.255 10.101.101.0
ip access-list extended FWOUT
permit ip any any reflect REFLECT
ip access-list extended inet-in
permit tcp host 157.34.167.149 host 70.62.43.150 eq 3389
permit tcp host 98.30.99.116 host 70.62.43.150 eq 3389
deny tcp any host 70.62.43.150 eq 3389
permit ip any any
ip access-list extended inet-traffic
remark inet traffic
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended internet-in
deny tcp any host 70.62.43.150 eq 3389
!
snmp-server community cdhelpdot5864 RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vtp
snmp-server enable traps atm subif
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps rtr
route-map NAT permit 10
match ip address inet-traffic
!
!
control-plane
!
!
banner login ^CC
**************************
* Unauthorized access will be prosecuted to the fullest extent of the law. *
* To avoid criminal charges, disconnect NOW! *
**************************
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 10.1.1.10
!
end
Current configuration : 9993 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname COB_WAN
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication login USER_VPN group radius
aaa authorization network GROUP_VPN local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name cityofbellevue.com
ip name-server 10.1.1.10
ip name-server 10.1.1.9
ip name-server 65.24.0.168
ip name-server 65.24.0.169
ip name-server 24.29.161.129
ip name-server 24.29.161.137
!
!
!
!
<cut>
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key MW_COBVPNTunnel address 75.13.63.69 no-xauth
crypto isakmp key REC_VPNTunnel address 216.207.224.5 no-xauth
crypto isakmp key FD_VPNTunnel address 216.207.224.2 no-xauth
crypto isakmp key WAT_VPNTunnel address 216.207.224.3 no-xauth
crypto isakmp key POL_VPNTunnel address 216.207.224.4 no-xauth
crypto isakmp key q6dxfc5q6dxfc5 address 216.207.224.6 no-xauth
crypto isakmp key q6dxfc5q6dxfc5 address 74.218.83.254 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15
!
crypto isakmp client configuration group COBVPN
key COBvpn
dns 10.1.1.10 10.1.1.9
wins 10.1.1.10
pool VPN_POOL
acl ADMIN-VPN
netmask 255.255.255.0
!
crypto isakmp client configuration group GROUP_VPN
!
crypto isakmp client configuration group CODYVPN
key COBCodyVPN
dns 10.1.1.9
wins 10.1.1.10
pool CODY_VPN_POOL
acl CODY-VPN
netmask 255.255.255.0
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
set transform-set 3DES
reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
description Tunnel to MW
set peer 75.13.63.69
set transform-set 3DES
match address COB2MW
crypto map VPN 15 ipsec-isakmp
description Tunnel to REC
set peer 216.207.224.5
set transform-set 3DES
match address COB2REC
crypto map VPN 20 ipsec-isakmp
description Tunnel to FD
set peer 216.207.224.2
set transform-set 3DES
match address COB2FD
crypto map VPN 30 ipsec-isakmp
description Tunnel to Water
set peer 216.207.224.3
set transform-set 3DES
match address COB2WATER
crypto map VPN 40 ipsec-isakmp
description Tunnel to Pollution Control
set peer 216.207.224.4
set transform-set 3DES
match address COB2POL
crypto map VPN 60 ipsec-isakmp
description Tunnel to HC Jail
set peer 216.207.224.6
set transform-set 3DES
match address COB2HCJAIL
crypto map VPN 70 ipsec-isakmp
description Tunnel To SC Jail
set peer 74.218.83.254
set transform-set 3DES
match address COB2SCJAIL
crypto map VPN 65000 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/0
description WAN
ip address 70.62.43.146 255.255.255.248 secondary
ip address 70.62.43.150 255.255.255.248
ip access-group inet-in in
ip access-group FWOUT out
ip accounting output-packets
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VPN
!
interface GigabitEthernet0/1
description LAN
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
ip route-cache flow
duplex auto
speed auto
!
ip local pool VPN_POOL 10.100.100.1 10.100.100.254
ip local pool CODY_VPN_POOL 10.101.101.1 10.101.101.254
ip classless
ip route 0.0.0.0 0.0.0.0 70.62.43.145
ip route 64.128.51.0 255.255.255.0 10.1.1.12
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 68.236.126.229 2055
!
no ip http server
no ip http secure-server
ip nat pool PAT 70.62.43.146 70.62.43.146 netmask 255.255.255.248
ip nat inside source route-map NAT pool PAT overload
ip nat inside source static tcp 10.1.1.80 23 70.62.43.150 23 extendable
ip nat inside source static tcp 10.1.1.10 25 70.62.43.150 25 extendable
ip nat inside source static tcp 10.1.1.10 80 70.62.43.150 80 extendable
ip nat inside source static tcp 10.1.1.10 110 70.62.43.150 110 extendable
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 extendable
ip nat inside source static tcp 10.1.1.164 5635 70.62.43.150 5635 extendable
ip nat inside source static udp 10.1.1.164 5635 70.62.43.150 5635 extendable
ip nat inside source static tcp 10.1.1.3 5659 70.62.43.150 5659 extendable
ip nat inside source static udp 10.1.1.3 5660 70.62.43.150 5660 extendable
ip nat inside source static tcp 10.1.1.10 5665 70.62.43.150 5665 extendable
ip nat inside source static udp 10.1.1.10 5666 70.62.43.150 5666 extendable
ip nat inside source static tcp 10.1.1.9 5669 70.62.43.150 5669 extendable
ip nat inside source static udp 10.1.1.9 5670 70.62.43.150 5670 extendable
ip nat inside source static tcp 10.1.1.5 5671 70.62.43.150 5671 extendable
ip nat inside source static udp 10.1.1.5 5672 70.62.43.150 5672 extendable
!
ip access-list extended ADMIN-VPN
remark Access for Admin VPN group
permit ip 10.1.1.0 0.0.0.255 10.100.100.0 0.0.0.255
ip access-list extended COB2FD
remark COB VPN to FD
permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255
ip access-list extended COB2HCJAIL
remark COB VPN to Huron County Jail
permit ip 10.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended COB2MW
remark COB VPN to MW
permit ip 10.1.1.0 0.0.0.255 192.168.57.0 0.0.0.255
ip access-list extended COB2POL
remark COB VPN to Pollution Control
permit ip 10.1.1.0 0.0.0.255 10.1.9.0 0.0.0.255
ip access-list extended COB2REC
remark COB VPN to REC
permit ip 10.1.1.0 0.0.0.255 10.1.7.0 0.0.0.255
ip access-list extended COB2SCJAIL
remark COB VPN to Sandusky Country Jail
permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255
ip access-list extended COB2WATER
remark COB VPN to Water
permit ip 10.1.1.0 0.0.0.255 10.1.11.0 0.0.0.255
ip access-list extended CODY-VPN
permit ip host 10.1.1.9 0.0.0.255 10.101.101.0
ip access-list extended FWOUT
permit ip any any reflect REFLECT
ip access-list extended inet-in
permit tcp host 157.34.167.149 host 70.62.43.150 eq 3389
permit tcp host 98.30.99.116 host 70.62.43.150 eq 3389
deny tcp any host 70.62.43.150 eq 3389
permit ip any any
ip access-list extended inet-traffic
remark inet traffic
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended internet-in
deny tcp any host 70.62.43.150 eq 3389
!
snmp-server community cdhelpdot5864 RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vtp
snmp-server enable traps atm subif
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps rtr
route-map NAT permit 10
match ip address inet-traffic
!
!
control-plane
!
!
banner login ^CC
**************************
* Unauthorized access will be prosecuted to the fullest extent of the law. *
* To avoid criminal charges, disconnect NOW! *
**************************
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 10.1.1.10
!
end
batry_boy
I'm assuming you are referring to the server at 10.1.1.11 that you are having trouble using RDP to across the L2L tunnel. When you try from work across the L2L tunnel, are you using 10.1.1.11 (the private IP) or the translated public IP address to access it?
That is to say that you should be using the private IP address 10.1.1.11 when accessing it from the office.
ASKER
yes..sorry forgot to add...my private IP range here is 192.168.57.0 and yes i was using the 10.1.1.11 to try to connect
Everything looks fine except you may want to adjust this ACL to include your IP address or take out the deny statement and see if that fixes your problem and then adjust accordingly
ip access-list extended inet-in
permit tcp host 157.34.167.149 host 70.62.43.150 eq 3389
permit tcp host 98.30.99.116 host 70.62.43.150 eq 3389
deny tcp any host 70.62.43.150 eq 3389
permit ip any any
ip access-list extended inet-in
permit tcp host 157.34.167.149 host 70.62.43.150 eq 3389
permit tcp host 98.30.99.116 host 70.62.43.150 eq 3389
deny tcp any host 70.62.43.150 eq 3389
permit ip any any
ASKER
i removed the deny statement but still don't work...kinda wierd, cause i can rdp into any other server there, and i can rdp into that server from one of the other servers..also added our WAN Ip no avail
Check the subnet mask of your server. Make sure all your network setting s are coorect.
ASKER
yeah that's all good
Did you check to see if the server could get to other things on the othe side of the tunnel or is just limited to RDP? Or if you could get to other services on the server?
ASKER
well i can ping the server from my end so i can atleast see the server and its responding to icmp. And from the server i can remote in to a server on my end..
Because you can Remote to a server on your side means that RDP packets can flow back and forth. Can you check to see if on your server it allows RDP off of it's network segment. If it is a Windows SMB 2003 server it will restrict off network RDP the problem is that connections from a NATed port looks like it is coming from 10.1.1.1 so you wouldn't have a problem with the customers incoming connections. Look at the local poicy to see if RDP is being restricted that way.
ASKER
it is a server 2003 standard. heres something i tried and it worked but broke something..i removed the
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 extendable
and i could rdp from my work to the server...but now the whole reason i created that statement was to allow a vendor to rdp directly to that server from the outside
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 extendable
and i could rdp from my work to the server...but now the whole reason i created that statement was to allow a vendor to rdp directly to that server from the outside
ASKER
where would i look in local poliy at...didn't see anything in security options
Well if that worked then no need to go any further on the server side since it appears to be a nat issue. Try this (never done it this way but it might work
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 route-map nonat
ip access-list extended nonat
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.1.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address nonat
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 route-map nonat
ip access-list extended nonat
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.1.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address nonat
ASKER
i have that in there as extendable...by doing the way you suggest...would that affect the vendors coming from the outside as well?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so i should just delete the old one and put the new one in?
It should just ammend to it but to be safe go ahead and remove and add the new NAT line in.
ASKER
that worked..i also had
p access-list extended inet-traffic
remark inet traffic
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.1.1.0 0.0.0.255 any
could i have just used that?
p access-list extended inet-traffic
remark inet traffic
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.1.1.0 0.0.0.255 any
could i have just used that?
It should and I almost just linked that one but I didn't want to during the testing phase. You may want to go ahead and link it now just to keep your configuration clean.