05-24-2010 05:29 PM - edited 02-21-2020 04:39 PM
Hi,
I do have VPN IPsec tunnel between my breanch office and head office (Router VPN). i need to do FTP to specific ip on Internet without passing though IPsec tunnel. this should be happenning on my branch site. so when users try ftp://125.7.123.46 this should bypass tunnel and connect directly ?
Can any one give me a heads up how can i achive this on my router ?
Thanks in advance,
Reza
Solved! Go to Solution.
05-25-2010 10:33 PM
Reza,
To be able to reach that server from the 192.168.10.0/24 network, here's what you need:
##########################################
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 150 interface Dialer0 overload
interface Ethernet0
ip nat inside
interface Dialer0
ip nat outside
#########################################
With the above configuration you're providing Internet access to the 192.168.10.0/24 network without interfering with the IPsec traffic.
Do you have this threat duplicate?
Federico.
05-24-2010 05:46 PM
Reza,
Is the VPN tunnel between two routers?
You can access the server via FTP from the internet because on the interesting traffic you just specify the traffic to go through the tunnel.
ie.
Let's say that you have the following scenario:
LAN1 - Router1 - Internet - Router2 - LAN2
There's a L2L between both routers.
Only traffic between both LANs will be sent through the tunnel.
If you access a server on either LAN with a public IP, the connection should work.
If it's not working, then we need to look at your NAT statements and the VPN configuration.
Federico.
05-24-2010 10:57 PM
Hi Federico,
Just forget my last discusstion the senario changes we dont want to bypass tunnel here is what we after:
the users at branch office(perth) cannot do FTP to a server in internet. we just want change on NAT/Rules to make it happen.
we do have head office is Sydney that this router has VPN IPsec to other branches including Melbourne, Perth, ..
we just want to fix FTP aceess for Perth users not on any other branches.
All things are router to router IPsec. from perth and sydney routers, i can ping FTP address that is (203.171.5.4) but from a client at perth, i cannot ping or telnet to that IP.
I uploaded routers configs from sydney and perth routers.
Please ask me for more picture of environment.
Regards,
Reza
05-25-2010 12:34 PM
Reza,
So you have a Site-to-Site tunnel between these two routers (syd and perth).
You want to be able to access the 203.171.5.4 via FTP from a client at perth correct?
Questions:
Where is the 203.171.5.4 server? On the Internet?
To be able to access that server you need to enable NAT on perth side.
Is this what you need to do?
Federico.
05-25-2010 04:02 PM
Hi Federico,
Exactly, We want to be able to access the 203.171.5.4 via FTP from a client at perth.
Yes, able to access that server we need to enable NAT on perth side
Can you help with command we can config on perth router to make this happen ?
at this moment ther is access-list 191 on perth router to allow 192.168.10.0 traffic to pass through ipsec:
access-list 191 remark Crypto ACL for Encryption to Sydney
access-list 191 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
you advice on this is much appretiated.
Regards,
Reza
05-25-2010 10:33 PM
Reza,
To be able to reach that server from the 192.168.10.0/24 network, here's what you need:
##########################################
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 150 interface Dialer0 overload
interface Ethernet0
ip nat inside
interface Dialer0
ip nat outside
#########################################
With the above configuration you're providing Internet access to the 192.168.10.0/24 network without interfering with the IPsec traffic.
Do you have this threat duplicate?
Federico.
05-26-2010 02:26 AM
Hi Mate,
How can i have this without providing internet access, just give access to that specific FTP address.
the 150 access-list allow every thing open.
Your adviced is much appretiated,
Reza
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide