Internet traffic through VPN to
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by Andrey Tarasov on June 17, 2008, 12:51 pm
Please log in for more thread options It might be something simple as split tunnel. Check ACL used in crypto map on PIX. If it allows only internal IP ranges, rest of the traffic from branch office will be sent to internet directly. Regards, Andrey. | |||||||||||||||||||||||||
|
Posted by deca2499 on June 17, 2008, 2:01 pm
Please log in for more thread options > deca2499 wrote:
> > I am trying to figure out a problem we are having at the company I
> > work at. Let me give you a bit of an overview. >
> > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
> > (Changed the first octet for security). Inside IP of 172.20.180.96/27 > > Branch in Pasadena, California with a PIX 506E, outside IP of > > 132.15.161.122. Inside IP 172.20.180.129/26. >
> > The problem I am having is that HQ has a proxy that monitors Internet
> > traffic and websites. Branch office is not getting Internet traffic > > through the proxy. They can get to unauthorized and blocked websites. > > I am thinking it may be some kind of routing issue, but am not sure at > > this point. I have been looking at the newsgroups and am finding that, > > if I am understanding correctly, the PIX will not send packets back > > out the same interface in which they arrived. >
> > I am rather new at working with PIXs and Cisco routers, so my
> > understanding is not that great on this issue. Basically I need help > > on figuring out how to get the ALL traffic to come across the VPN to > > run through our proxy at the HQ. If you need more info, please let me > > know. >
> > Thank you in advance for all your help.
>
> It might be something simple as split tunnel. Check ACL used in crypto > map on PIX. If it allows only internal IP ranges, rest of the traffic > from branch office will be sent to internet directly. > > Regards, > Andrey.- Hide quoted text - > > - Show quoted text - Here is everything that I can find with regards to crypto map on the PIX: crypto map vpn2 10 ipsec-isakmp crypto map vpn2 10 match address 101 crypto map vpn2 10 set peer VPNConcentrator crypto map vpn2 10 set transform-set vpn2 crypto map vpn2 interface outside | |||||||||||||||||||||||||
|
Posted by deca2499 on June 17, 2008, 2:43 pm
Please log in for more thread options >
> > > > > > deca2499 wrote:
> > > I am trying to figure out a problem we are having at the company I
> > > work at. Let me give you a bit of an overview. >
> > > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
> > > (Changed the first octet for security). Inside IP of 172.16.180.96/27 > > > Branch in Pasadena, California with a PIX 506E, outside IP of > > > 132.15.161.122. Inside IP 172.16.180.129/26. >
> > > The problem I am having is that HQ has a proxy that monitors Internet
> > > traffic and websites. Branch office is not getting Internet traffic > > > through the proxy. They can get to unauthorized and blocked websites. > > > I am thinking it may be some kind of routing issue, but am not sure at= > > > this point. I have been looking at the newsgroups and am finding that,=
> > > if I am understanding correctly, the PIX will not send packets back
> > > out the same interface in which they arrived. >
> > > I am rather new at working with PIXs and Cisco routers, so my
> > > understanding is not that great on this issue. Basically I need help > > > on figuring out how to get the ALL traffic to come across the VPN to > > > run through our proxy at the HQ. If you need more info, please let me > > > know. >
> > > Thank you in advance for all your help.
>
> > It might be something simple as split tunnel. Check ACL used in crypto
> > map on PIX. If it allows only internal IP ranges, rest of the traffic > > from branch office will be sent to internet directly. >
> > Regards,
> > Andrey.- Hide quoted text - >
> > - Show quoted text -
>
> Here is everything that I can find with regards to crypto map on the > PIX: > > crypto map vpn2 10 ipsec-isakmp > crypto map vpn2 10 match address 101 > crypto map vpn2 10 set peer VPNConcentrator > crypto map vpn2 10 set transform-set vpn2 > crypto map vpn2 interface outside- Hide quoted text - > > - Show quoted text - I was looking at the 506E setup and see all the ACL ip permits: access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0 255.255.255.192 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96 255.255.255.240 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68 255.255.255.252 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64 255.255.255.252 Here is what I am not sure of, these three lines are for ATT. All the lines above it are for closet switches, and the last three lines are for the VPN concentrator, 2811 router, and 4507 switch that is behind the 2811 router. My question would be should there only be a link to ATT, and to the VPN concentrator? I would think that the concentrator would forward all packets from the VPN to the 2811 router. Am I correct in this thinking? The branch switch IP is the 172.16.180.128. The internal interface on the 506 is 172.16.180.129. | |||||||||||||||||||||||||
|
Posted by deca2499 on June 17, 2008, 2:50 pm
Please log in for more thread options >
> > > > > > > > deca2499 wrote:
> > > > I am trying to figure out a problem we are having at the company I > > > > work at. Let me give you a bit of an overview. >
> > > > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
7
> > > > (Changed the first octet for security). Inside IP of 172.16.180.96/2= > > > > Branch in Pasadena, California with a PIX 506E, outside IP of
> > > > 132.15.161.122. Inside IP 172.16.180.129/26. >
> > > > The problem I am having is that HQ has a proxy that monitors Interne=
t
> > > > traffic and websites. Branch office is not getting Internet traffic
.
> > > > through the proxy. They can get to unauthorized and blocked websites= > > > > I am thinking it may be some kind of routing issue, but am not sure =
at
> > > > this point. I have been looking at the newsgroups and am finding tha=
t,
> > > > if I am understanding correctly, the PIX will not send packets back
> > > > out the same interface in which they arrived. >
> > > > I am rather new at working with PIXs and Cisco routers, so my
> > > > understanding is not that great on this issue. Basically I need help= > > > > on figuring out how to get the ALL traffic to come across the VPN to=
> > > > run through our proxy at the HQ. If you need more info, please let m=
e
> > > > know.
>
> > > > Thank you in advance for all your help.
>
> > > It might be something simple as split tunnel. Check ACL used in crypto=
> > > map on PIX. If it allows only internal IP ranges, rest of the traffic
> > > from branch office will be sent to internet directly. >
> > > Regards,
> > > Andrey.- Hide quoted text - >
> > > - Show quoted text -
>
> > Here is everything that I can find with regards to crypto map on the
> > PIX: >
> > crypto map vpn2 10 ipsec-isakmp
> > crypto map vpn2 10 match address 101 > > crypto map vpn2 10 set peer VPNConcentrator > > crypto map vpn2 10 set transform-set vpn2 > > crypto map vpn2 interface outside- Hide quoted text - >
> > - Show quoted text -
>
Oooppss.. These three lines for ATT...
> I was looking at the 506E setup and see all the ACL ip permits: > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0 > 255.255.255.192 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96 > 255.255.255.240 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68 > 255.255.255.252 > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64 > 255.255.255.252 > > Here is what I am not sure of, these three lines are for ATT. > All the lines above it are for closet switches, and the last three > lines are for the VPN concentrator, 2811 router, and 4507 switch that > is behind the 2811 router. > > My question would be should there only be a link to ATT, and to the > VPN concentrator? I would think that the concentrator would forward > all packets from the VPN to the 2811 router. Am I correct in this > thinking? > The branch switch IP is the 172.16.180.128. > The internal interface on the 506 is 172.16.180.129.- Hide quoted text - > > - Show quoted text - access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 255.255.255.0 | |||||||||||||||||||||||||
|
Posted by Andrey Tarasov on June 17, 2008, 6:06 pm
Please log in for more thread options deca2499 wrote:
>>>> deca2499 wrote:
>>>>> I am trying to figure out a problem we are having at the company I >>>>> work at. Let me give you a bit of an overview. >>>>> HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30 >>>>> (Changed the first octet for security). Inside IP of 172.16.180.96/27 >>>>> Branch in Pasadena, California with a PIX 506E, outside IP of >>>>> 132.15.161.122. Inside IP 172.16.180.129/26. >>>>> The problem I am having is that HQ has a proxy that monitors Internet >>>>> traffic and websites. Branch office is not getting Internet traffic >>>>> through the proxy. They can get to unauthorized and blocked websites. >>>>> I am thinking it may be some kind of routing issue, but am not sure at >>>>> this point. I have been looking at the newsgroups and am finding that, >>>>> if I am understanding correctly, the PIX will not send packets back >>>>> out the same interface in which they arrived. >>>>> I am rather new at working with PIXs and Cisco routers, so my >>>>> understanding is not that great on this issue. Basically I need help >>>>> on figuring out how to get the ALL traffic to come across the VPN to >>>>> run through our proxy at the HQ. If you need more info, please let me >>>>> know. >>>>> Thank you in advance for all your help. >>>> It might be something simple as split tunnel. Check ACL used in crypto >>>> map on PIX. If it allows only internal IP ranges, rest of the traffic >>>> from branch office will be sent to internet directly. >>>> Regards, >>>> Andrey.- Hide quoted text - >>>> - Show quoted text - >>> Here is everything that I can find with regards to crypto map on the >>> PIX: >>> crypto map vpn2 10 ipsec-isakmp >>> crypto map vpn2 10 match address 101 >>> crypto map vpn2 10 set peer VPNConcentrator >>> crypto map vpn2 10 set transform-set vpn2 >>> crypto map vpn2 interface outside- Hide quoted text - >>> - Show quoted text - >> I was looking at the 506E setup and see all the ACL ip permits:
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0 >> 255.255.255.192 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 >> 255.255.255.0 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96 >> 255.255.255.240 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68 >> 255.255.255.252 >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64 >> 255.255.255.252 >> >> Here is what I am not sure of, these three lines are for ATT. >> All the lines above it are for closet switches, and the last three >> lines are for the VPN concentrator, 2811 router, and 4507 switch that >> is behind the 2811 router. >> >> My question would be should there only be a link to ATT, and to the >> VPN concentrator? I would think that the concentrator would forward >> all packets from the VPN to the 2811 router. Am I correct in this >> thinking? >> The branch switch IP is the 172.16.180.128. >> The internal interface on the 506 is 172.16.180.129.- Hide quoted text - >> >> - Show quoted text - > Oooppss.. These three lines for ATT...
> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 > 255.255.255.0 > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 > 255.255.255.0 Assuming you posted complete ACL 101, VPN tunnel between 506E and concentrator is indeed split one. Only traffic between branch and HQ is being sent over the tunnel. Traffic to Internet is being sent directly. Regards, Andrey. | |||||||||||||||||||||||||
> work at. Let me give you a bit of an overview.
>
> HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
> (Changed the first octet for security). Inside IP of 172.20.180.96/27
> Branch in Pasadena, California with a PIX 506E, outside IP of
> 132.15.161.122. Inside IP 172.20.180.129/26.
>
> The problem I am having is that HQ has a proxy that monitors Internet
> traffic and websites. Branch office is not getting Internet traffic
> through the proxy. They can get to unauthorized and blocked websites.
> I am thinking it may be some kind of routing issue, but am not sure at
> this point. I have been looking at the newsgroups and am finding that,
> if I am understanding correctly, the PIX will not send packets back
> out the same interface in which they arrived.
>
> I am rather new at working with PIXs and Cisco routers, so my
> understanding is not that great on this issue. Basically I need help
> on figuring out how to get the ALL traffic to come across the VPN to
> run through our proxy at the HQ. If you need more info, please let me
> know.
>
> Thank you in advance for all your help.