Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1250
Views
0
Helpful
3
Replies

site to site VPN with Internet

JATINDER KUMAR
Level 1
Level 1

‎06-08-2012 12:40 AM

we have a site to site tunnel ... connecting few users to a server at our site on a vpn tunnel... now the requirement is to have public accesss to this server from outside as this server also holds a website... any suggestions ..

is this a NAT to another public IP ... right now tunnel is working fine ... but moment is put a nat on router for another public ip the users at remote site are not abel to connect to server then....

my tunnel IP on router is loopback interface ...

internal server is having a gateway to router and then router is connected to WAN

Labels:
0 Helpful
3 Replies 3

nkarthikeyan
Level 7
Level 7

‎06-08-2012 05:22 AM

If you are allowing internet from our end... then you can separate the inetrnet traffic from the tunnel and you can do that.... because only the specific allowed range mentioned the vpn access-list alone will go in to the tunnel.

because you have the specific rules allowed in the general outbound ACL and ip to ip flow for the same destination subnets in the vpntunnel ACL as well for intresting traffic for Site to Site. But still you can permit an internet access to the server by allowing it in a general outbound ACL and a NAT specified for the same. If it is a inbound internet traffic then it should be vice versa....

S2S ACL's

=========

Access-list outbound extended permit tcp 10.0.0.0 255.255.255.0(SRC) 172.16.10.0 255.255.255.0 eq 80 (ACL for S2S)

Access-list vpntunnel extended permit ip 10.0.0.0 255.255.255.0(SRC) 172.16.10.0 255.255.255.0 eq 80

say 10.0.0.100 is the server.

Outside to inside

=============

Access-list inbound extended permit tcp any host 10.0.0.100 eq 80/443(as per the requirement).

You need to have the NAT policy created for the server specifying any host from outside towards the public ip of the server has to get PATed to the server.

0 Helpful

JATINDER KUMAR
Level 1
Level 1
In response to nkarthikeyan

‎06-08-2012 05:41 AM

thanks for the help...

not sure i am able to understand what u said sorry .. cna you please advise based on my config below ...

i have one more question ... when we have configure the ACL .. it should be configured between peer public IPs or the LAN ips .. like now i have got some ports to be allowed and rest to be blocked between tunnel, so do i need to put ACL based on LAN ip from other side ... becoz my peer ip which is public does not put effect if i put policy there...

boot-start-marker

boot-end-marker

!

logging buffered 52000

!

no aaa new-model

memory-size iomem 10

clock timezone UTC 4

!

ip source-route

!

!

!

!

ip cef

no ip domain lookup

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

lifetime 28800

crypto isakmp key PSK-KEY address 1.2.3.4

!

!

crypto ipsec transform-set CLIENT-XXX_trans esp-aes 256 esp-sha-hmac

crypto ipsec nat-transparency spi-matching

!

!

crypto map CLIENT-XXX_map local-address Loopback0

crypto map CLIENT-XXX_map 10 ipsec-isakmp

set peer 1.2.3.4

set transform-set CLIENT-XXX_trans

match address acl_vpn

!

!

!

!

!

!

interface Loopback0

ip address 196.192.X.X 255.255.255.248

ip flow ingress

!

interface FastEthernet0

load-interval 30

!

!

interface FastEthernet4

ip address 172.30.7.194 255.255.255.252

ip access-group protect_inbound_traffic in

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map CLIENT-XXX_map

!

interface Vlan1

ip address 10.10.11.1 255.255.255.0

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

load-interval 30

!

!

no ip nat create flow-entries

ip route 0.0.0.0 0.0.0.0 172.30.7.193

!

ip access-list extended acl_nat

deny   ip host 10.10.11.3 host 1.2.3.4

deny   ip host 10.10.11.3 host 172.170.128.169

deny   ip host 10.10.11.3 host 172.170.124.169

ip access-list extended acl_vpn

permit ip host 10.10.11.3 host 172.170.124.169

permit ip host 10.10.11.3 host 172.170.128.169

permit ip host 10.10.11.3 host 1.2.3.4

ip access-list extended protect_inbound_traffic

permit ip 172.17.24.0 0.0.0.255 host 10.10.11.3

permit udp host 1.2.3.4 host 172.30.7.194 eq non500-isakmp

permit udp host 1.2.3.4 host 172.30.7.194 eq isakmp

permit esp host 1.2.3.4 host 172.30.7.194

permit ahp host 1.2.3.4 host 172.30.7.194

permit icmp host 1.2.3.4 host 196.192.X.X

permit tcp host 1.2.3.4 host 196.192.X.X established

permit ip host 1.2.3.4 host 196.192.X.X

!

snmp-server ifindex persist

!

0 Helpful

JATINDER KUMAR
Level 1
Level 1
In response to nkarthikeyan

‎06-10-2012 10:40 PM

guys any help.. please advise

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents