I am facing a problem with port forwarding on Cisco router 2801.
2801 is configured with Site-to-Site VPN and DMVP.
crypto isakmp policy 50
crypto isakmp key xxx address 184.108.40.206
crypto ipsec transform-set NSET esp-3des esp-sha-hmac
crypto map vpn 1 ipsec-isakmp
set peer 220.127.116.11
set transform-set NSET
match address 150
ip address 10.10.70.1 255.255.255.0
ip nat inside
ip address 18.104.22.168
ip nat outside
crypto map vpn
! ip nat is overloaded from fa0/1
ip nat inside source static tcp 10.10.70.50 3389 interface FastEthernet0/1 3383
ip nat inside source static tcp 10.10.70.60 3389 interface FastEthernet0/1 3384
ip nat inside source static tcp 10.10.70.70 3389 interface FastEthernet0/1 3385
access-list 150 permit ip 192.168.203.0 0.0.0.255 10.10.70.0 0.0.0.255
We have several offices that have 881 ISR routers. Those are configured in the same manner.
I am currently behind such a device with 192.168.203.0/24 internal subnet.
So, VPN connections work like a charm. Everything is pingable, users connect to servers behind 2801 through VPN.
Some users need to access servers behind 2801 when they out of their offices. For this reason I need to configure port forwarding.
As I enter "ip nat inside source static tcp 10.10.70.50 3389 interface FastEthernet0/1 3383" users who sit behind 881s lose an ability to connect to 10.10.70.50's RDP. I have checked, port forwarding is working fine. 10.10.70.50 is also pingable from 192.168.203.0/24 subnet over VPN (the same in other offices). But no one can connect to servers over VPN.
Please, anyone help me to solve this trouble!
Thanks in advance.
You have reached Japan certification community site.
There is technical support community site which meets your request.
Please visit to those pages and post this question.
Japan Learning @ Cisco