1. Home
  2. Cisco Systems
  3. Internet traffic through VPN to

Internet traffic through VPN to

Hello everyone,

I am trying to figure out a problem we are having at the company I work at. Let me give you a bit of an overview.

HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30 (Changed the first octet for security). Inside IP of 172.20.180.96/27 Branch in Pasadena, California with a PIX 506E, outside IP of

132.15.161.122. Inside IP 172.20.180.129/26.

The problem I am having is that HQ has a proxy that monitors Internet traffic and websites. Branch office is not getting Internet traffic through the proxy. They can get to unauthorized and blocked websites. I am thinking it may be some kind of routing issue, but am not sure at this point. I have been looking at the newsgroups and am finding that, if I am understanding correctly, the PIX will not send packets back out the same interface in which they arrived.

I am rather new at working with PIXs and Cisco routers, so my understanding is not that great on this issue. Basically I need help on figuring out how to get the ALL traffic to come across the VPN to run through our proxy at the HQ. If you need more info, please let me know.

Thank you in advance for all your help.

Reply to
deca2499
Loading thread data ...

A couple of options, block http/https traffic from exiting the 506E at the branch office and force the http/https connections through the HQ. Also have you identified the proxy server in the settings of the browser?

In regards to the PIX sending packets out the same interface it arrived on, it all depends of the OS version of the PIX and VPN concentrator.

Reply to
artie lange

If I were to block the http/https traffic from exiting the 506E, what kind of rule would I use to force it through the VPN tunnel compared to dropping all http/s traffic? Would I have to put in a rule that tells it to go to the VPN and not bypass? I am new to dealing with more than the simple home firewall.

Thank you for your prompt response..

Reply to
deca2499

no if you are using a true proxy server, you need to configure the internet browser to use a proxy server address. What web filtering technologies are you using (Name, brand, etc..)

Reply to
artie lange

It might be something simple as split tunnel. Check ACL used in crypto map on PIX. If it allows only internal IP ranges, rest of the traffic from branch office will be sent to internet directly.

Regards, Andrey.

Reply to
Andrey Tarasov

I was wrong to say that we are using a proxy. However, the webfiltering software we are using is eSafe.

Reply to
deca2499

Here is everything that I can find with regards to crypto map on the PIX:

crypto map vpn2 10 ipsec-isakmp crypto map vpn2 10 match address 101 crypto map vpn2 10 set peer VPNConcentrator crypto map vpn2 10 set transform-set vpn2 crypto map vpn2 interface outside

Reply to
deca2499

I was looking at the 506E setup and see all the ACL ip permits: access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0

255.255.255.192 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96 255.255.255.240 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68 255.255.255.252 access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64 255.255.255.252

Here is what I am not sure of, these three lines are for ATT. All the lines above it are for closet switches, and the last three lines are for the VPN concentrator, 2811 router, and 4507 switch that is behind the 2811 router.

My question would be should there only be a link to ATT, and to the VPN concentrator? I would think that the concentrator would forward all packets from the VPN to the 2811 router. Am I correct in this thinking? The branch switch IP is the 172.16.180.128. The internal interface on the 506 is 172.16.180.129.

Reply to
deca2499

Oooppss.. These three lines for ATT... access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0

255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0 255.255.255.0 access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0 255.255.255.0
Reply to
deca2499

Assuming you posted complete ACL 101, VPN tunnel between 506E and concentrator is indeed split one. Only traffic between branch and HQ is being sent over the tunnel. Traffic to Internet is being sent directly.

Regards, Andrey.

Reply to
Andrey Tarasov

That is what I was thinking but wanted confirmation. Now comes the fun part, which part do we need to take out to force it across the tunnel? If we take out the ACL going to the 128.170.x.x, would that cut off all Internet access including the tunnel? My thinking would be that the only ACL that would need to be there would be the one to the router at HQ right? Or would it need to be going to the concentrator and drop the ACL to the router?

Thank you.

Scott

Reply to
deca2499

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.