Static Routers blocking VPN ports

[StaplesMan]

I got my VPN working "Cisco client software". After I connect I am able to ping my server and even access files on my server. But I'm unable to use RDP.

The reason is I have a static inbound route on the router that will allow me to connect without the VPN to my server via RDP.

ip nat inside source static tcp 192.168.78.1 3389 interface Ethernet0 1234

Because my ISP is dynamic. I'm unable to define an inbound IP address. Thus this NAT will blocks my VPN remote desktop access to 192.168.78.1 (server).

Is there anyway that I can assign this NAT to an access list so I can make it disable on a source address of 192.168.79.0 / 24 (my VPN Pool).

Thanks for any advice or links of recommendation.

 

[burtsbees]

So the vpn pool is a different subnet than the LAN...please post a config.

Burt

 

[StaplesMan]

Yes that's correct!

LAN: 192.168.78.0 / 24
VPN Pool: 192.168.79.0 / 24
WAN: DHCP from ISP (changes every once in awhile)


RDP over the WEB works with no problems using port 1234
RDP through the VPN does not work. But removing the NAT code it works.

-------------------------


version 12.3
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname FireWall
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
memory-size iomem 25
clock timezone CST -6
clock summer-time cdt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!(This domain is required for SSH)
ip domain name domain.local
!
ip cef
ip audit po max-events 100
!
!
username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *********
key *********
dns 192.168.78.1
wins 192.168.78.1
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback1
ip address 10.0.0.1 255.255.255.252
!
!
!(Cable Internet DHCP)
interface Ethernet0
ip address dhcp
ip access-group 102 in
ip access-group 103 out
no ip redirects
no ip proxy-arp
ip nat outside
rate-limit output access-group 2020 512000 256000 786000 conform-action transmi
t exceed-action drop
half-duplex
no cdp enable
crypto map clientmap
!
!(Internal Network)
interface FastEthernet0
ip address 192.168.78.2 255.255.255.0
ip nat inside
speed auto
!
ip local pool ippool 192.168.79.100 192.168.79.200
ip nat inside source list 101 interface Ethernet0 overload
ip nat inside source static tcp 192.168.78.1 3389 interface Ethernet0 1234
!
ip classless
no ip http server
no ip http secure-server
!
!
logging 192.168.78.1
access-list 101 deny ip any 192.168.79.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit udp any any eq bootpc
access-list 102 permit icmp any any
access-list 102 permit ip 192.168.79.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 0.0.0.0 0.255.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip 169.254.0.0 0.0.255.255 any log
access-list 102 deny ip 192.0.2.0 0.0.0.255 any log
access-list 102 deny ip 198.18.0.0 0.1.255.255 any log
access-list 102 deny ip 224.0.0.0 15.255.255.255 any log
access-list 102 permit ip any any
access-list 108 permit ip 192.168.78.0 0.0.0.255 any
access-list 108 permit ip 10.0.0.0 0.0.0.255 any
access-list 2020 permit icmp any any echo
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxx
logging synchronous
!
sntp server 192.168.78.1
end

 

[burtsbees]

Your acl 108 needs to be
access-list 108 permit ip 192.168.79.0 0.0.0.255 any

Try that...also, see if under the group config, you can add the command include-local-lan...and netmask 255.255.255.0

crypto isakmp client configuration group *********
key *********
dns 192.168.78.1
wins 192.168.78.1
pool ippool
acl 108
include-local-lan
netmask 255.255.255.0

Burt

 

[StaplesMan]

Added line to ACL 108.

Then attempted to add include-local-lan and netmask but commands do not exist.

FireWall(config-isakmp-group)#?
ISAKMP group policy config commands:
access-restrict Restrict clients in this group to an interface
acl Specify split tunneling inclusion access-list number
dns Specify DNS Addresses
domain Set default domain name to send to client
exit Exit from ISAKMP client group policy configuration mode
group-lock Enforce group lock feature
key pre-shared key/IKE password
no Negate a command or set its defaults
pool Set name of address pool
wins Specify WINS Addresses

 

[burtsbees]

Does it work now? Can you RDC?

Burt

 

[StaplesMan]

Opps... No it still not working.

Sorry about that!

 

[StaplesMan]

Note I can access my entire network without any problems from the VPN. I can access my file server but just not RDP because of the NAT command.

 

[brianinms]

Where is acl 103?

ip access-group 103 out

 

[StaplesMan]

Thanks for everyones suggestions... But still no go. I use to have a ACL 103 but removed it for testing. Seems like I have never put it back.

Anyway. I removed the "ip access-group 103 out" line from the e0 interface.

Still no RDP.

Any other suggestions?