how can i bypass ipsec tunnel when do ftp ?

Answered Question
May 24th, 2010
User Badges:

Hi,


I do have VPN IPsec tunnel between my breanch office and head office (Router VPN). i need to do FTP to specific ip on Internet without passing though IPsec tunnel. this should be happenning on my branch site. so when users try ftp://125.7.123.46 this should bypass tunnel and connect directly ?


Can any one give me a heads up how can i achive this on my router ?


Thanks in advance,

Reza

Correct Answer by Federico Coto F... about 7 years 2 months ago

Reza,


To be able to reach that server from the 192.168.10.0/24 network, here's what you need:


##########################################


access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any


ip nat inside source list 150 interface Dialer0 overload


interface Ethernet0

ip nat inside


interface Dialer0

ip nat outside


#########################################


With the above configuration you're providing Internet access to the 192.168.10.0/24 network without interfering with the IPsec traffic.


Do you have this threat duplicate?


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Mon, 05/24/2010 - 17:46
User Badges:
  • Green, 3000 points or more

Reza,


Is the VPN tunnel between two routers?

You can access the server via FTP from the internet because on the interesting traffic you just specify the traffic to go through the tunnel.


ie.

Let's say that you have the following scenario:


LAN1 - Router1 - Internet - Router2 - LAN2


There's a L2L between both routers.

Only traffic between both LANs will be sent through the tunnel.

If you access a server on either LAN with a public IP, the connection should work.


If it's not working, then we need to look at your NAT statements and the VPN configuration.


Federico.

reza.rafatifard Mon, 05/24/2010 - 22:57
User Badges:

Hi Federico,


Just forget my last discusstion the senario changes we dont want to bypass tunnel here is what we after:

the users at branch office(perth) cannot do FTP to a server in internet. we just want change on NAT/Rules to make it happen.

we do have head office is Sydney that this router has VPN IPsec to other branches including Melbourne, Perth, ..

we just want to fix FTP aceess for Perth users not on any other branches.


All things are router to router IPsec. from perth and sydney routers, i can ping FTP address that is (203.171.5.4) but from a client at perth, i cannot ping or telnet to that IP.


I uploaded routers configs from sydney and perth routers.


Please ask me for more picture of environment.


Regards,

Reza

Federico Coto F... Tue, 05/25/2010 - 12:34
User Badges:
  • Green, 3000 points or more

Reza,


So you have a Site-to-Site tunnel between these two routers (syd and perth).

You want to be able to access the 203.171.5.4 via FTP from a client at perth correct?


Questions:

Where is the 203.171.5.4 server? On the Internet?

To be able to access that server you need to enable NAT on perth side.


Is this what you need to do?


Federico.

reza.rafatifard Tue, 05/25/2010 - 16:02
User Badges:

Hi Federico,


Exactly, We want to be able to access the 203.171.5.4 via FTP from a client at perth.

Yes, able to access that server we need to enable NAT on perth side


Can you help with command we can config on perth router to make this happen ?

at this moment ther is access-list 191 on perth router to allow 192.168.10.0 traffic to pass through ipsec:

access-list 191 remark Crypto ACL for Encryption to Sydney
access-list 191 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255


you advice on this is much appretiated.



Regards,

Reza

Correct Answer
Federico Coto F... Tue, 05/25/2010 - 22:33
User Badges:
  • Green, 3000 points or more

Reza,


To be able to reach that server from the 192.168.10.0/24 network, here's what you need:


##########################################


access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any


ip nat inside source list 150 interface Dialer0 overload


interface Ethernet0

ip nat inside


interface Dialer0

ip nat outside


#########################################


With the above configuration you're providing Internet access to the 192.168.10.0/24 network without interfering with the IPsec traffic.


Do you have this threat duplicate?


Federico.

reza.rafatifard Wed, 05/26/2010 - 02:26
User Badges:

Hi Mate,


How can i have this without providing internet access, just give access to that specific FTP address.


the 150 access-list allow every thing open.


Your adviced is much appretiated,

Reza

Actions

This Discussion