I'm currently presented with an annoying issue.

I need to configure a IPSec vpn with the the following set up:

Client LAN x.x.x.x/24 -> VPN to Vigor 3900 with LAN y.y.y.y/32

This is all fine and simple the VPN is up and works.
The problem is that we require the traffic to actually go to an RDP server given the IP z.z.z.z which is obviously not part of the /32 subnet.

The client will not allow the VPN our side to be anything but /32 otherwise the RDP could be put onto the same subnet.
I have attempted using the NAT policy but without success - Maybe I'm doing something wrong here?

I have also configured port forwarding but this just allows the access through WAN addresses - which they also will not accept even though it would be firewalled.

Thank you for any advise given.