VPN - Public IP

Hi,

We currently have access to the network via VPN, this is fine and it works. However when we connect via VPN we are wanting to access servers that are IP restricted to the networks public IP. So we are not able to gain access to these resources.

Is there a way how we can pick up the public IP of the network instead personal public IP. I have looked around and some have suggested to have a proxy setup on a desktop that could be used.

Please can you advise?

introlux
introluxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
It would be an improvement if you could describe your architecture and your purposes a bit more.

I understand that you have servers with public IP addresses.  Is that right?
That's not unusual.  They are set up that way so that they will be accessible from the internet.
But "accessible" may not mean "controllable" or .....
So, I presume that you want to access those servers from inside your network.  Is that right?

Are you able to access the servers from inside the network and not via the VPN connection?

Presumably all of the computers on the LAN subnet can reach the internet and, thus, those servers.  

There's something missing here .. like how are those servers normally accessed for management?
introluxAuthor Commented:
Hi,

So basically we have 3rd party hosting providers. They have locked down the firewall to the office public IP. Now when within the network (basically in the office) we can access these servers. However when logged on from home etc, we use VPN to have access to the Officr network, however if we tried to access the 3rd party hosting, it does not work as the public IP is my own personal home address and not the Office public IP.

I am forced to hop onto a device within the.l network and hop onto the 3rd party hosting provider.

It would save a lot of time if I could remove the extra hop.

Does that make sense?

Introlux
Fred MarshallPrincipalCommented:
it does not work as the public IP is my own personal home address and not the Office public IP.
It's not clear what this means.  Of course you have a public IP at home and of course you have a different one at the office.
however if we tried to access the 3rd party hosting,
It's not clear what this means.  Why would you want to access the hosting provider?  A management console?

Is the "3rd party hosting provider":
- hosting internet service?
- hosting web pages on those servers?
etc?

What do you mean that they have "locked down the firewall"?  Do you mean they own and control it?
Are the servers then in a DMZ but are accessible from your LAN subnet?

I'm not sure what you want makes much sense because (as it currently appears to me):
- The servers face the internet and, as such, probably don't want to have management interfacing done from that "side".  One could but that becomes a security risk to some degree.  So, one can imagine that it would be blocked.  That's not unusual.
- The servers are accessible from the local LAN subnet.  So, to get to them, you have to be coming from that "side".  Whether this is possible directly over the VPN is a question.  If the VPN clients have local LAN subnet addresses then probably yes.  If the VPN clients have their own subnet then probably not.  Whether you have control over this aspect is unclear.
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

introluxAuthor Commented:
IP for home and work is of course different, however this 3rd party web servers sit behind a firewall which has ip restriction to the work public IP address. As my home ip is different, I am unable to connect to it.

I was hoping using VPN will mask the work public ip and allow me to connect to the servers which have the restriction.

Does that make it clear?
David Johnson, CD, MVPOwnerCommented:
your vpn client is set to split to access internet (outside the network) it uses your own internet connection.  This may be set by the administrator of the vpn server.
Fred MarshallPrincipalCommented:
If I had some answers to some of my explicit questions, it would help.
David Johnson, CD, MVPOwnerCommented:
the split vpn is the problem. check your vpn client properties. reverse the procedure shown here
https://community.spiceworks.com/how_to/75078-configuring-split-tunnel-client-vpn-on-windows

Enable instead of disable Use default gateway on remote network
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
David is probably correct about split tunneling, and hence public IP traffic not going thru the VPN. However, I would rather set a specific route for those particular public IPs with the same gateway the VPN uses. That way Internet traffic does not have to pass the VPN unless for the office.
introluxAuthor Commented:
Hi,

In order to connect via VPN, using a software tool called Junos Pulse to connect. So I am not using a native VPN connection. So this setting is not available for me.

Any further ideas?

introlux
introluxAuthor Commented:
I believe i need to enable SplitTunneling from false to true but I cannot see an active VPN connection as I am using the client instead of the Microsoft inbuilt VPN.

Junos creates a virtual network adapter.

Ant help again will be appreciated.
introluxAuthor Commented:
Attached picture of client that i am using
junos-secure.JPG
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
With Junos Pulse you have to do all settings on the Juniper. You don't have any option on the client side.
introluxAuthor Commented:
Any idea what changes is required to do on the Juniper?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Nope. The "real" Juniper branch of devices is a black hole for me. I know the NetScreen/SSG branch, and that has nothing in common.
introluxAuthor Commented:
Can we not use a proxy setup within the office that we can connect to?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
What about "you have to do all settings on the Juniper" is unclear? You need a setup, a proxy setup won't help. There is no proxy, the config on the Juniper is the config.
introluxAuthor Commented:
Qlemo, I understand this but we do not have anyone at present to configure this device, therefore as an interim, can we setup a proxy on a server/desktop that can help resolve this issue?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Got you. Yes, the thought of using some kind of proxy service sounds compelling, but it won't work, unless you use LAN IPs as proxy for those hosted servers. Feasible, but a difficult and painful setup.

I can't remember if Pulse allows you to manually set routes while being connected. If so, you could set up specific routes using the Juniper (via VPN). Odds are that you are not able to do that.
Fred MarshallPrincipalCommented:
I'm still very much in the dark here for lack of information.

But, I do understand that you're using Pulse.

I have never seen a VPN client software in recent times that would not let you split the VPN (this is from the client side) and/or NOT split the VPN.  So, if that's all that's causing your problem, it should be a setting on the client computer(s) in the Pulse software.  That said, it looks like it's not so simple.  Here's a link I found on that subject.  
http://www.digitalinternals.com/network/workaround-for-juniper-vpn-split-tunneling-restriction/124/
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
The correct link is rather http://www.digitalinternals.com/network/workaround-juniper-junos-pulse-split-tunneling-restriction/447/ of the same author. JNC is not the same as Pulse ;-).
The author has the reversed issue - a non-split-tunneling setup. And the ways to circumvent the internal route monitoring are really cumbersome - I cannot recommend that, requiring to patch EXE and DLL files and such.

Maybe we can give advice if you tell us which services exactly you need to use.
introluxAuthor Commented:
I would like to SSH, RDP, FTP to servers that are located on AWS. They currently have an IP restriction set on the firewall that only allows access via RDP (if Windows), SSH (if Linux) and SFTP/FTP from the public IP address assigned to the office.

I would like to access these servers without hopping onto a device in the office.
Fred MarshallPrincipalCommented:
only allows access via  ...... the public IP address assigned to the office.
That seems reasonable enough.  You have servers that have public IP addresses.  If I understand this as it appears then that's pretty simple unto itself.

They currently have an IP restriction set on the firewall
This part I don't understand very well.  If they have public addresses then surely they are accessible from the internet.  Yes, I suppose there could be some firewall protections even so.  But then, those would apply to anyone accessing those addresses/servers, no?

we have 3rd party hosting providers
This comment could be at odds with everything else so I'm confused by it.  I mention this only to make sure we aren't heading down the wrong path.

But, If everything else is correct then I imagine that you're using a non-split VPN so that when you're connected to the VPN, you don't have local internet access.  Then you only have office access.  
Sometimes one gets internet access via the office ISP through the VPN but I don't know how common that is.  It's more common to use a split VPN connection (at the remote end) in order to use your own internet access - the same one that's supporting the VPN connection from your home or .....

So, if you are connected on the VPN and  "trapped" on the office LAN subnet and need internet access, and thus access to your own office's public servers, you need a split VPN.  I guess David Johnson figured that out faster than I could!  :-)

My suggestion would be that we focus on how to get a split VPN for the remote clients.  Maybe the link that Qlemo provided is better but it came back blocked as dangerous to me just now.  In any case, the one I sent suggests doing things that *are* too complicated.  

But, if the only thing is to avoid a "hop" then is it worth it?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
There are some tools out there to build a port proxy or tunnel.
E.g. the SSH tools can build a dedicated SSH tunnel for a single port. That is useful if you do not have a tunnel yet - but as you are on VPN, this is probably not the best option,
fpipe from http://www.mcafee.com/de/downloads/free-tools/fpipe.aspx is a direct port proxy.
NetCat is often used to do that.
But I recommend (from reading, no experience) to use PassPort http://sourceforge.net/projects/pjs-passport/files/PassPort/1.0.1/ . It has a GUI and is hence easy to set up.

Basically you will have to reserve a local port on the machine the proxy service is running on for each service and remote target you want to use. If you need FTP for two machines, you need to use two different ports (I'm not sure that works well with FTP, though - could be difficult because of the dynamic port selection used for the data channel).
Say one of the remote servers is 47.11.47.11, and you want to use RDP. You run the proxy service on 192.168.1.1.
Then you would have to set port 53389 (50000 + RDP) on 192.168.1.1 to RDP on 47.11.47.11, and use 192.168.1.1:53389 in MsTsc.exe to establish the corresponding RDP proxy connection.
To RDP to a different server, you would e.g. define and use 43389 or 53390 or something like that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
introluxAuthor Commented:
hmmm, is there any point setting up another way to deal with this? like a proxy server setup on a server/desktop, as a quick workaround?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
??? What I described in my last comment is a proxy setup!?
David Johnson, CD, MVPOwnerCommented:
The access restriction is there for a reason.. quite simply security. And as it stands you have to vpn into your work network.  Unfortunately the work network admins want vpn users to use their own internet connection to access/surf outside of the network so they set up a split-vpn so you have to RDP into a work machine and then access this external site indirectly.  There really isn't another way around this except to talk to the network admins and remove the split-vpn (probably unlikely) or relax the ip restriction (good luck as it reduces the security of the 3rd party service so that probably is not happening)
workaround-juniper-junos-pulse-split.pdf
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.