Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how can i bypass ipsec tunnel when do ftp ?

Hi,

I do have VPN IPsec tunnel between my breanch office and head office (Router VPN). i need to do FTP to specific ip on Internet without passing though IPsec tunnel. this should be happenning on my branch site. so when users try ftp://125.7.123.46 this should bypass tunnel and connect directly ?

Can any one give me a heads up how can i achive this on my router ?

Thanks in advance,

Reza

1 ACCEPTED SOLUTION

Accepted Solutions

Re: I cannot do FTP through Ipsec Tunnel

Reza,

To be able to reach that server from the 192.168.10.0/24 network, here's what you need:

##########################################

access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 150 interface Dialer0 overload

interface Ethernet0

ip nat inside

interface Dialer0

ip nat outside

#########################################

With the above configuration you're providing Internet access to the 192.168.10.0/24 network without interfering with the IPsec traffic.

Do you have this threat duplicate?

Federico.

6 REPLIES

Re: how can i bypass ipsec tunnel when do ftp ?

Reza,

Is the VPN tunnel between two routers?

You can access the server via FTP from the internet because on the interesting traffic you just specify the traffic to go through the tunnel.

ie.

Let's say that you have the following scenario:

LAN1 - Router1 - Internet - Router2 - LAN2

There's a L2L between both routers.

Only traffic between both LANs will be sent through the tunnel.

If you access a server on either LAN with a public IP, the connection should work.

If it's not working, then we need to look at your NAT statements and the VPN configuration.

Federico.

New Member

Re: I cannot do FTP through Ipsec Tunnel

Hi Federico,

Just forget my last discusstion the senario changes we dont want to bypass tunnel here is what we after:

the users at branch office(perth) cannot do FTP to a server in internet. we just want change on NAT/Rules to make it happen.

we do have head office is Sydney that this router has VPN IPsec to other branches including Melbourne, Perth, ..

we just want to fix FTP aceess for Perth users not on any other branches.

All things are router to router IPsec. from perth and sydney routers, i can ping FTP address that is (203.171.5.4) but from a client at perth, i cannot ping or telnet to that IP.

I uploaded routers configs from sydney and perth routers.

Please ask me for more picture of environment.

Regards,

Reza

Re: I cannot do FTP through Ipsec Tunnel

Reza,

So you have a Site-to-Site tunnel between these two routers (syd and perth).

You want to be able to access the 203.171.5.4 via FTP from a client at perth correct?

Questions:

Where is the 203.171.5.4 server? On the Internet?

To be able to access that server you need to enable NAT on perth side.

Is this what you need to do?

Federico.

New Member

Re: I cannot do FTP through Ipsec Tunnel

Hi Federico,

Exactly, We want to be able to access the 203.171.5.4 via FTP from a client at perth.

Yes, able to access that server we need to enable NAT on perth side

Can you help with command we can config on perth router to make this happen ?

at this moment ther is access-list 191 on perth router to allow 192.168.10.0 traffic to pass through ipsec:

access-list 191 remark Crypto ACL for Encryption to Sydney
access-list 191 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

you advice on this is much appretiated.

Regards,

Reza

Re: I cannot do FTP through Ipsec Tunnel

Reza,

To be able to reach that server from the 192.168.10.0/24 network, here's what you need:

##########################################

access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 150 interface Dialer0 overload

interface Ethernet0

ip nat inside

interface Dialer0

ip nat outside

#########################################

With the above configuration you're providing Internet access to the 192.168.10.0/24 network without interfering with the IPsec traffic.

Do you have this threat duplicate?

Federico.

New Member

Re: I cannot do FTP through Ipsec Tunnel

Hi Mate,

How can i have this without providing internet access, just give access to that specific FTP address.

the 150 access-list allow every thing open.

Your adviced is much appretiated,

Reza

628
Views
0
Helpful
6
Replies
CreatePlease to create content