Solved

Site to Site VPN and External Web Resource

Posted on 2014-02-19
4
594 Views
Last Modified: 2014-02-20
We have a vendor that needs access to several of our internal webservers over HTTPS, but also needs access to an external website that can only be accessed via our public IP address.  We have them set up for a site to site VPN tunnel and we're NATing them from a DMZ IP to an internal IP address for each internal web server access.  

I'm trying to figure out what the best method would be to redirect them to an external website through our network and out to the internet.  One of the ideas I was playing with was some kind of virtual application delivery for IE via Citrix or another platform.

Is there an easier method to do this via creative NATing or do we need to deploy some sort of VDI-like application delivery to accomplish this?
0
Comment
Question by:macdaddy2005
  • 2
4 Comments
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 250 total points
ID: 39872538
You can add the external IP address of that external website in the cryptomap (the networks the IPSEC connection agreed to tunnel). Then you can add a NAT statement that traffic coming from the vendor to this external IP of the external website is NAT-ed trough your WAN IP.

What for equipment do you have running?
0
 
LVL 1

Assisted Solution

by:vijaydawda
vijaydawda earned 250 total points
ID: 39872712
Try the following method

Edit VPN parameters :

Do the following

1. Your Side (Which have public IP)

Edit the VPN connection

Add the IP of external web server in the local network (Subnet should be 255.255.255.255 (/32) )



2. Vendor Side

Edit the VPN connection

Add the IP of external web server in the remote network (Subnet should be 255.255.255.255 (/32)

Don't forget to add a VPN to WAN rule with NAT enabled.
0
 

Author Comment

by:macdaddy2005
ID: 39873504
We're using an Adtran  NetVanta 1335, shared between multiple vendors.  Here's part of our CryptoMap.  

crypto map VPN 10 ipsec-ike
  description <vendor 1>
  match address VPN-10-vpn-selectors
  set peer <peer WAN IP>
  set transform-set esp-aes-256-cbc-esp-sha-hmac
  set security-association lifetime seconds 3600
  ike-policy 100
crypto map VPN 20 ipsec-ike
  description <vendor 2>
  match address VPN-20-vpn-selectors
  set peer <peer WAN IP>
  set transform-set esp-aes-256-cbc-esp-sha-hmac
  set security-association lifetime seconds 3600
  ike-policy 100

We NAT through our firewall.  The DMZ is attached to the trusted interface of the Adtran and the external interface is a public IP.
0
 

Author Comment

by:macdaddy2005
ID: 39874385
I managed to get the NATing to work properly.  Instead of that public IP address going out via our firewall, like all other traffic, it was being redirected through another VPN device.  That VPN device did not have my DMZ in its routing table.  

Thanks for the help
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Use of Training Budget 12 95
Access on thin client? 11 59
Single PC won't comunicate across VPN 6 44
slow vpn connection 9 39
After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now