Hi Federico,

Just forget my last discusstion the senario changes we dont want to bypass tunnel here is what we after:

the users at branch office(perth) cannot do FTP to a server in internet. we just want change on NAT/Rules to make it happen.

we do have head office is Sydney that this router has VPN IPsec to other branches including Melbourne, Perth, ..

we just want to fix FTP aceess for Perth users not on any other branches.

All things are router to router IPsec. from perth and sydney routers, i can ping FTP address that is (203.171.5.4) but from a client at perth, i cannot ping or telnet to that IP.

I uploaded routers configs from sydney and perth routers.

Please ask me for more picture of environment.

Regards,

Reza

Reza,

So you have a Site-to-Site tunnel between these two routers (syd and perth).

You want to be able to access the 203.171.5.4 via FTP from a client at perth correct?

Questions:

Where is the 203.171.5.4 server? On the Internet?

To be able to access that server you need to enable NAT on perth side.

Is this what you need to do?

Federico.

Hi Federico,

Exactly, We want to be able to access the 203.171.5.4 via FTP from a client at perth.

Yes, able to access that server we need to enable NAT on perth side

Can you help with command we can config on perth router to make this happen ?

at this moment ther is access-list 191 on perth router to allow 192.168.10.0 traffic to pass through ipsec:

access-list 191 remark Crypto ACL for Encryption to Sydney
access-list 191 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

you advice on this is much appretiated.

Regards,

Reza

Hi Mate,

How can i have this without providing internet access, just give access to that specific FTP address.

the 150 access-list allow every thing open.

Your adviced is much appretiated,

Reza