Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
4
Replies

How to reach certain Public IP address from Client VPN

Lasandro Lopez
Level 1
Level 1

‎09-30-2013 06:48 AM

Hi there!
On cisco ASA 5510, there are some profiles for VPN clients, that reach some inside servers.
I want them to reach a public IP address to a third party....to one dedicated port.


For example:
Public IP address of 3rd party: 3.3.3.3

Port on this IP: 80

My ASA Public IP address is: 2.2.2.2

THe problem is that 3rd party...don't allow connections other than my public IP.

So, one client VPN, that has IP address of 4.4.4.4 for example, could not reach port 80 on IP 3.3.3.3, he must enter to VPN, then...to reach port 80 on IP 3.3.3.3 with a nat let say on asa IP 2.2.2.2.
Is this possible?
Regards!

Labels:
0 Helpful
4 Replies 4

Lasandro Lopez
Level 1
Level 1

‎09-30-2013 07:11 AM

I've to add this extra information...
The VPN clients, enter to a 3rd interface named VPN, with Public IP 1.1.1.1.
So interfaces are like this:
INSIDE: 192.168.1.1
OUTSIDE: 2.2.2.2

VPN: 1.1.1.1
Regards!

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Lasandro Lopez

‎09-30-2013 07:57 AM

Hi,

Easiest way to deal with this would be to see some current configurations and the VPN "tunnel-group" name that needs to reach this 3rd party site.

If I understood correctly you would need to have the user connect to this 3rd party site through the VPN Client connection so that the connection would be visible to the 3rd party site with the ASA public IP address.

Things that affect how this is achieved would be

  • Are you using Full Tunnel or Split Tunnel VPN
  • What your software level is (NAT configuration type is different)

Essentially you need to make sure that connections towards the 3rd party site IP address are tunneled to the VPN connection and you will also have to have a NAT configuration between VPN and OUTSIDE interface to NAT the VPN users to the correct IP address. There might be other settings needed also depending on your ASA configurations.

- Jouni

0 Helpful

Lasandro Lopez
Level 1
Level 1
In response to Jouni Forss

‎09-30-2013 08:01 AM

On the clients, i'm using Split Tunnel.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Lasandro Lopez

‎09-30-2013 08:05 AM

Hi,

Well you will need to add the destination IP address to the Split Tunnel ACL used. I would typically use a Standard type ACL and just add a statement for this public destination IP address.

After this you would essentially have to configure the correct NAT between VPN and OUTSIDE interface and make sure no other rule is blocking the traffic.

Again, how the above is accomplished depends on your software and also partly how your ASA is currently configured.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents