https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550970#M206584 <P>&nbsp;</P><P>Hi,</P><P>Can you try with an extended acl, like this:</P><P>&nbsp;</P><P>access-list acl_splitvpn extended permit ip external_ip 255.255.255.255 any</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Pedro Lereno</P> Fri, 10 Oct 2014 16:24:20 GMT Pedro Lereno 2014-10-10T16:24:20Z https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550967#M206581 <P>Hi, the&nbsp;requirement here is to provide access to a website hosted behind a PIX 515e (version 7 software) via a Cisco VPN client. The client will need to access the website via the "external" IP address of the site,&nbsp;rather than the internal. We currently have Client VPN configurations in place to allow access to servers via the internal IP address, but not via the external( public) address.</P><P>&nbsp;</P><P>Any help with the above would be greatly appreciated.</P> Tue, 12 Mar 2019 04:50:23 GMT https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550967#M206581 WelcomEIB 2019-03-12T04:50:23Z https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550968#M206582 <P>Hi,</P><P>From your explanation it seems that you have a "nat exempt" rule to your vpn clients, so they access the servers via the internal IP and not the public ("natted") one.</P><P>A possible solution:</P><P>1. Disable nat exempt rule and all vpn clients must access to the public ip of the server.</P><P>or</P><P>2. Create a new address-pool, associate to a vpngroup, and not exempt nat. Example:</P><P>ip local pool OUT_IP 192.168.130.1-192.168.130.255</P><P>vpngroup PUBLICIPACCESS address-pool OUT_IP</P><P>vpngroup&nbsp;PUBLICIPACCESS&nbsp; password&nbsp; xxxxxxxxxx</P><P>access-list outside_access_in permit ip 192.168.130.0 255.255.255.0 any</P><P>access-list outside_cryptomap_dyn_20 permit ip any 192.168.130.0 255.255.255.0<BR />crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20<BR />crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA<BR />crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map</P><P>(attention to the the name and order of the acls and crypto maps)</P><P>&nbsp;</P><P>I hope this could help you.</P><P>&nbsp;</P><P>Best Regards,</P><P>&nbsp;</P><P>Pedro Lereno</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Sep 2014 13:25:13 GMT https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550968#M206582 Pedro Lereno 2014-09-30T13:25:13Z https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550969#M206583 <P>Hi,</P><P>&nbsp;</P><P>Thanks for your feedback on this. The VPN configuration is in place and working as per your suggestion.</P><P>&nbsp;</P><P>The only item that isn't working well as the split tunnelling. So without split tunnelling the external IP address is accessible, however this will route ALL client traffic through the VPN tunnel.</P><P>&nbsp;</P><P>The split tunnelling config is as follows:</P><P>access-list acl_splitvpn standard&nbsp;permit ip external_ip 255.255.255.255</P><P>group-policy gp_name attributes<BR />&nbsp; split-tunnel-policy tunnelspecified<BR />&nbsp; split-tunnel-network-list value acl_splitvpn</P><P>&nbsp;</P><P>Any further assistance would be appreciated.</P> Wed, 08 Oct 2014 11:24:07 GMT https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550969#M206583 WelcomEIB 2014-10-08T11:24:07Z https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550970#M206584 <P>&nbsp;</P><P>Hi,</P><P>Can you try with an extended acl, like this:</P><P>&nbsp;</P><P>access-list acl_splitvpn extended permit ip external_ip 255.255.255.255 any</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>Pedro Lereno</P> Fri, 10 Oct 2014 16:24:20 GMT https://community.cisco.com/t5/network-security/client-vpn-access-to-public-ip/m-p/2550970#M206584 Pedro Lereno 2014-10-10T16:24:20Z