06-08-2012 12:40 AM
we have a site to site tunnel ... connecting few users to a server at our site on a vpn tunnel... now the requirement is to have public accesss to this server from outside as this server also holds a website... any suggestions ..
is this a NAT to another public IP ... right now tunnel is working fine ... but moment is put a nat on router for another public ip the users at remote site are not abel to connect to server then....
my tunnel IP on router is loopback interface ...
internal server is having a gateway to router and then router is connected to WAN
06-08-2012 05:22 AM
If you are allowing internet from our end... then you can separate the inetrnet traffic from the tunnel and you can do that.... because only the specific allowed range mentioned the vpn access-list alone will go in to the tunnel.
because you have the specific rules allowed in the general outbound ACL and ip to ip flow for the same destination subnets in the vpntunnel ACL as well for intresting traffic for Site to Site. But still you can permit an internet access to the server by allowing it in a general outbound ACL and a NAT specified for the same. If it is a inbound internet traffic then it should be vice versa....
S2S ACL's
=========
Access-list outbound extended permit tcp 10.0.0.0 255.255.255.0(SRC) 172.16.10.0 255.255.255.0 eq 80 (ACL for S2S)
Access-list vpntunnel extended permit ip 10.0.0.0 255.255.255.0(SRC) 172.16.10.0 255.255.255.0 eq 80
say 10.0.0.100 is the server.
Outside to inside
=============
Access-list inbound extended permit tcp any host 10.0.0.100 eq 80/443(as per the requirement).
You need to have the NAT policy created for the server specifying any host from outside towards the public ip of the server has to get PATed to the server.
06-08-2012 05:41 AM
thanks for the help...
not sure i am able to understand what u said sorry .. cna you please advise based on my config below ...
i have one more question ... when we have configure the ACL .. it should be configured between peer public IPs or the LAN ips .. like now i have got some ports to be allowed and rest to be blocked between tunnel, so do i need to put ACL based on LAN ip from other side ... becoz my peer ip which is public does not put effect if i put policy there...
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
no aaa new-model
memory-size iomem 10
clock timezone UTC 4
!
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key PSK-KEY address 1.2.3.4
!
!
crypto ipsec transform-set CLIENT-XXX_trans esp-aes 256 esp-sha-hmac
crypto ipsec nat-transparency spi-matching
!
!
crypto map CLIENT-XXX_map local-address Loopback0
crypto map CLIENT-XXX_map 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set CLIENT-XXX_trans
match address acl_vpn
!
!
!
!
!
!
interface Loopback0
ip address 196.192.X.X 255.255.255.248
ip flow ingress
!
interface FastEthernet0
load-interval 30
!
!
interface FastEthernet4
ip address 172.30.7.194 255.255.255.252
ip access-group protect_inbound_traffic in
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map CLIENT-XXX_map
!
interface Vlan1
ip address 10.10.11.1 255.255.255.0
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly
load-interval 30
!
!
no ip nat create flow-entries
ip route 0.0.0.0 0.0.0.0 172.30.7.193
!
ip access-list extended acl_nat
deny ip host 10.10.11.3 host 1.2.3.4
deny ip host 10.10.11.3 host 172.170.128.169
deny ip host 10.10.11.3 host 172.170.124.169
ip access-list extended acl_vpn
permit ip host 10.10.11.3 host 172.170.124.169
permit ip host 10.10.11.3 host 172.170.128.169
permit ip host 10.10.11.3 host 1.2.3.4
ip access-list extended protect_inbound_traffic
permit ip 172.17.24.0 0.0.0.255 host 10.10.11.3
permit udp host 1.2.3.4 host 172.30.7.194 eq non500-isakmp
permit udp host 1.2.3.4 host 172.30.7.194 eq isakmp
permit esp host 1.2.3.4 host 172.30.7.194
permit ahp host 1.2.3.4 host 172.30.7.194
permit icmp host 1.2.3.4 host 196.192.X.X
permit tcp host 1.2.3.4 host 196.192.X.X established
permit ip host 1.2.3.4 host 196.192.X.X
!
snmp-server ifindex persist
!
06-10-2012 10:40 PM
guys any help.. please advise
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide