Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Client VPN access to Public IP

Hi, the requirement here is to provide access to a website hosted behind a PIX 515e (version 7 software) via a Cisco VPN client. The client will need to access the website via the "external" IP address of the site, rather than the internal. We currently have Client VPN configurations in place to allow access to servers via the internal IP address, but not via the external( public) address.


Any help with the above would be greatly appreciated.

Everyone's tags (1)
Community Member

Hi,From your explanation it


From your explanation it seems that you have a "nat exempt" rule to your vpn clients, so they access the servers via the internal IP and not the public ("natted") one.

A possible solution:

1. Disable nat exempt rule and all vpn clients must access to the public ip of the server.


2. Create a new address-pool, associate to a vpngroup, and not exempt nat. Example:

ip local pool OUT_IP

vpngroup PUBLICIPACCESS address-pool OUT_IP

vpngroup PUBLICIPACCESS  password  xxxxxxxxxx

access-list outside_access_in permit ip any

access-list outside_cryptomap_dyn_20 permit ip any
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

(attention to the the name and order of the acls and crypto maps)


I hope this could help you.


Best Regards,


Pedro Lereno



Community Member

Hi, Thanks for your feedback



Thanks for your feedback on this. The VPN configuration is in place and working as per your suggestion.


The only item that isn't working well as the split tunnelling. So without split tunnelling the external IP address is accessible, however this will route ALL client traffic through the VPN tunnel.


The split tunnelling config is as follows:

access-list acl_splitvpn standard permit ip external_ip

group-policy gp_name attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value acl_splitvpn


Any further assistance would be appreciated.

Community Member

 Hi,Can you try with an



Can you try with an extended acl, like this:


access-list acl_splitvpn extended permit ip external_ip any




Pedro Lereno

CreatePlease to create content