Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
3
Replies

Client VPN access to Public IP

WelcomEIB
Level 1
Level 1

‎09-30-2014 02:08 AM - edited ‎03-11-2019 09:50 PM

Hi, the requirement here is to provide access to a website hosted behind a PIX 515e (version 7 software) via a Cisco VPN client. The client will need to access the website via the "external" IP address of the site, rather than the internal. We currently have Client VPN configurations in place to allow access to servers via the internal IP address, but not via the external( public) address.

 

Any help with the above would be greatly appreciated.

Labels:
0 Helpful
3 Replies 3

Pedro Lereno
Level 1
Level 1

‎09-30-2014 06:25 AM

Hi,

From your explanation it seems that you have a "nat exempt" rule to your vpn clients, so they access the servers via the internal IP and not the public ("natted") one.

A possible solution:

1. Disable nat exempt rule and all vpn clients must access to the public ip of the server.

or

2. Create a new address-pool, associate to a vpngroup, and not exempt nat. Example:

ip local pool OUT_IP 192.168.130.1-192.168.130.255

vpngroup PUBLICIPACCESS address-pool OUT_IP

vpngroup PUBLICIPACCESS  password  xxxxxxxxxx

access-list outside_access_in permit ip 192.168.130.0 255.255.255.0 any

access-list outside_cryptomap_dyn_20 permit ip any 192.168.130.0 255.255.255.0
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

(attention to the the name and order of the acls and crypto maps)

 

I hope this could help you.

 

Best Regards,

 

Pedro Lereno

 

 

0 Helpful

WelcomEIB
Level 1
Level 1
In response to Pedro Lereno

‎10-08-2014 04:24 AM

Hi,

 

Thanks for your feedback on this. The VPN configuration is in place and working as per your suggestion.

 

The only item that isn't working well as the split tunnelling. So without split tunnelling the external IP address is accessible, however this will route ALL client traffic through the VPN tunnel.

 

The split tunnelling config is as follows:

access-list acl_splitvpn standard permit ip external_ip 255.255.255.255

group-policy gp_name attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value acl_splitvpn

 

Any further assistance would be appreciated.

0 Helpful

Pedro Lereno
Level 1
Level 1
In response to WelcomEIB

‎10-10-2014 09:24 AM

 

Hi,

Can you try with an extended acl, like this:

 

access-list acl_splitvpn extended permit ip external_ip 255.255.255.255 any

 

Regards,

 

Pedro Lereno

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card