Vpn help with presenting public ip to client

Answered Question

Currently we have setup our vpn's so they can talk lan side to lan side.

Att: contains relevant parts of the vpn structure which work between the offices.

We now have a client we need to setup a tunnel to that will not allow private ip's . They want a tunnel setup so that our public ip is what comes into there network. Any ideas on how this can be accomplished with our current vpn structure. They have given me there vpn gateway and the pre share but how can i present so anything going to them only shows our public and not the inside server ip that is sending to them. Seems like everything i try get's denied on there side.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Todd Pula about 7 years 5 months ago

Please take a look at the attached config from my lab and let me know if you have any further questions. You are close in your configuration. You will be relying on the egress NAT configuration to overload to your outside interface IP. When configuring the crypto map, you will want to make sure that the interesting traffic ACL includes the outside interface IP as the source.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Todd Pula Wed, 06/24/2009 - 11:07

In a hide NAT scenario, you will want to ensure that the interesting traffic ACL for the tunnel includes the post-NAT address as the source. IPSec and ISAKMP debugs would be helpful to see where exactly the connection is failing.

In there lies the problem. I've only dealt with private ip to private ip vpn's. This is new to me and i don;t even know where to start. Do i need a different kind of acl to allow his public address to be hosted by my private or does the acl say soemthing like my public address host his public address then do something different in my nat statements. Basically we have one server behind the router let's say 192.168.7.45 just for an example. The client does not want the tunnel to show my private 7.45 server he only will except my public ip which sits on the serial interface to come across the tunnel and attach to his public ip address which is attached to a server he has on the inside without either site ever seeing the private addresses. Anybody have any configs that have this type of configuration or close to it ??

Correct Answer
Todd Pula Thu, 06/25/2009 - 06:20

Please take a look at the attached config from my lab and let me know if you have any further questions. You are close in your configuration. You will be relying on the egress NAT configuration to overload to your outside interface IP. When configuring the crypto map, you will want to make sure that the interesting traffic ACL includes the outside interface IP as the source.

Todd Pula Thu, 06/25/2009 - 10:20

Glad I could help. Please rate this post so that others can use the content to solve similar issues.

Actions

This Discussion