This solution is needed when you have a Cisco Router and a Dynamic Global IP. I created this solution when I was at home as I use BT Infinity’s new VDSL connection which has a Dyanmic IP. I will explain the other issues with BT Infinity and Cisco in another post.

Basically when you have Remote VPN users setup and you have a static RDP (example) rule you will find that when your try and RDP using the local IP of a Server when the VPN users are connected you will find the Router will try and perform an outside NAT translation and you don’t want it to. You want the traffic to route across the line and below is examples of how to achieve this.

I will expalin both solutions for when you have a Static IP and the slightly more complicated when you have a dynamic IP.

Static  IP NAT Solution:

Normal Translation Rule:

#ip nat inside source static tcp 10.0.0.80 3389 XX.XX.XX.XX 3389 extendable

What you need to have is the following:

#ip nat inside source static tcp 10.0.0.80 3389 XX.XX.XX.XX 3389  route-map NAT-DENY-VPN extendable

What you are doing here is applying a Route-map which specifies a Deny Rule for any traffic going from Internal to the VPN Address Pool as shown below:

#ip access-list extended NAT-DENY-VPN
 deny   ip 10.0.0.0 0.0.0.255 192.168.99.0 0.0.0.255

You can be more specific and just match the NAT Rule Exactly. E.g.

#ip access-list extended NAT-DENY-VPN
 deny   tcp 10.0.0.0 0.0.0.255 192.168.99.0 0.0.0.255 eq 3389

Dynamic IP NAT Solution:

With a dynamic IP you will find your NAT Translation rules look like the following. Using the Interface command instead of the IP address.

ip nat inside source static tcp 10.0.0.80 3389 interface Dialer1 3389

You first need to create a loopback interface like the following:
**IP Address you use if irrelevant as long as you one outside of a scheme you already have.

interface Loopback0
 ip address 192.168.50.1 255.255.255.0

Then create an access list to permit traffic from your internal LAN to the VPN DHCP Pool Range:

#ip access-list extended NAT-Avoidance
 permit ip 10.0.0.0 0.0.0.255 192.168.99.0 0.0.0.255

Then Create the Route-MAP

#route-map PBR permit 10
 description **PBR Avoid NAT for VPN Users**
 match ip address NAT-Avoidance
 set interface Loopback0

Then Assign this to your Internal LAN Interface

#interface FastEthernet0/0
 description **Internal LAN**
 ip policy route-map PBR

Slightly more complicated to do but works perfectly!

Leave a Reply

Your email address will not be published. Required fields are marked *