Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
3
Replies

External Access to a Single Server Via VPN

Go to solution
Communications
Level 1
Level 1

‎08-04-2010 11:36 AM

Hi,

I have clients connectiong to a Router (878)using the VPN Client, they can access what they need internally.

A new requirment has come up, there is an externally hosted server that has IP restrictions so that only a range of internal addresses can access it.

The question is when the VPN client is connected and it picks up an internal address how can I allow access from inside out to this one host. I had thought of  split tunneling but the connection needs to come from the Internal lan and in this case that does not seem like it will work. There is only one Internet connection, there are no proxies internally I could use.

Will this work? if so what is the best way of accomplishing this.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Communications

‎08-07-2010 12:14 AM

i will need to search my docs but i am pretty sure i have a example... in any case here is some more info

do split tunneling and include this traffic from pool to server in that

next on your outside i will do source based routing directing all traffic from pool ip to the public server ip to loopback using the set interface command

and then classify this loopback as internal by making ip nat inside so that anything going out from this interface will be natted/patted to your interface ip and now your server will recognise it

hope this helps

ip access-list extended split

  permit

  permit

-------

for route-map

ip access-list extended vpn

  permit ip

  permit ip

route-map vpn

match acl vpn

set interface loopback0

int loopback0

ip address

ip nat inside

include the traffic from pool ip to server in the nat acl's

-------------------

if this is difficult please paste your config i will try to put it accordingly

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee

‎08-04-2010 11:57 AM

send all vpn the traffic to loopback ip using route map

make loopback ip as ip nat inside

and include the traffic from pool to that public ip as part of nat traffic

0 Helpful

Go to solution
Communications
Level 1
Level 1
In response to Jitendriya Athavale

‎08-06-2010 01:24 PM

Hi Jathaval,

Thanks for responding, can you point me at any more detailed info as I havent heard of this before?

Thanks Mike

0 Helpful

Go to solution
Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Communications

‎08-07-2010 12:14 AM

i will need to search my docs but i am pretty sure i have a example... in any case here is some more info

do split tunneling and include this traffic from pool to server in that

next on your outside i will do source based routing directing all traffic from pool ip to the public server ip to loopback using the set interface command

and then classify this loopback as internal by making ip nat inside so that anything going out from this interface will be natted/patted to your interface ip and now your server will recognise it

hope this helps

ip access-list extended split

  permit

  permit

-------

for route-map

ip access-list extended vpn

  permit ip

  permit ip

route-map vpn

match acl vpn

set interface loopback0

int loopback0

ip address

ip nat inside

include the traffic from pool ip to server in the nat acl's

-------------------

if this is difficult please paste your config i will try to put it accordingly

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents