Internet traffic through VPN to
in [Cisco]
|
Prev: Could someone please verify a portion of this configuration? Thank you.
Next: Accessing ASA Standby via site to site vpn
From: deca2499 on 17 Jun 2008 09:26 Hello everyone, I am trying to figure out a problem we are having at the company I work at. Let me give you a bit of an overview. HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30 (Changed the first octet for security). Inside IP of 172.20.180.96/27 Branch in Pasadena, California with a PIX 506E, outside IP of 132.15.161.122. Inside IP 172.20.180.129/26. The problem I am having is that HQ has a proxy that monitors Internet traffic and websites. Branch office is not getting Internet traffic through the proxy. They can get to unauthorized and blocked websites. I am thinking it may be some kind of routing issue, but am not sure at this point. I have been looking at the newsgroups and am finding that, if I am understanding correctly, the PIX will not send packets back out the same interface in which they arrived. I am rather new at working with PIXs and Cisco routers, so my understanding is not that great on this issue. Basically I need help on figuring out how to get the ALL traffic to come across the VPN to run through our proxy at the HQ. If you need more info, please let me know. Thank you in advance for all your help.
From: artie lange on 17 Jun 2008 10:50 deca2499 wrote: > The problem I am having is that HQ has a proxy that monitors Internet > traffic and websites. Branch office is not getting Internet traffic > through the proxy. They can get to unauthorized and blocked websites. > I am thinking it may be some kind of routing issue, but am not sure at > this point. I have been looking at the newsgroups and am finding that, > if I am understanding correctly, the PIX will not send packets back > out the same interface in which they arrived. A couple of options, block http/https traffic from exiting the 506E at the branch office and force the http/https connections through the HQ. Also have you identified the proxy server in the settings of the browser? In regards to the PIX sending packets out the same interface it arrived on, it all depends of the OS version of the PIX and VPN concentrator.
From: deca2499 on 17 Jun 2008 12:43 On Jun 17, 10:50 am, artie lange <Ar...(a)lange.com> wrote: > deca2499 wrote: > > The problem I am having is that HQ has a proxy that monitors Internet > > traffic and websites. Branch office is not getting Internet traffic > > through the proxy. They can get to unauthorized and blocked websites. > > I am thinking it may be some kind of routing issue, but am not sure at > > this point. I have been looking at the newsgroups and am finding that, > > if I am understanding correctly, the PIX will not send packets back > > out the same interface in which they arrived. > > A couple of options, block http/https traffic from exiting the 506E at > the branch office and force the http/https connections through the HQ. > Also have you identified the proxy server in the settings of the browser? > > In regards to the PIX sending packets out the same interface it arrived > on, it all depends of the OS version of the PIX and VPN concentrator. If I were to block the http/https traffic from exiting the 506E, what kind of rule would I use to force it through the VPN tunnel compared to dropping all http/s traffic? Would I have to put in a rule that tells it to go to the VPN and not bypass? I am new to dealing with more than the simple home firewall. Thank you for your prompt response..
From: artie lange on 17 Jun 2008 12:46 deca2499 wrote: > If I were to block the http/https traffic from exiting the 506E, what > kind of rule would I use to force it through the VPN tunnel compared > to dropping all http/s traffic? Would I have to put in a rule that > tells it to go to the VPN and not bypass? I am new to dealing with > more than the simple home firewall. > > Thank you for your prompt response.. no if you are using a true proxy server, you need to configure the internet browser to use a proxy server address. What web filtering technologies are you using (Name, brand, etc..)
From: Andrey Tarasov on 17 Jun 2008 12:51
deca2499 wrote: > I am trying to figure out a problem we are having at the company I > work at. Let me give you a bit of an overview. > > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30 > (Changed the first octet for security). Inside IP of 172.20.180.96/27 > Branch in Pasadena, California with a PIX 506E, outside IP of > 132.15.161.122. Inside IP 172.20.180.129/26. > > The problem I am having is that HQ has a proxy that monitors Internet > traffic and websites. Branch office is not getting Internet traffic > through the proxy. They can get to unauthorized and blocked websites. > I am thinking it may be some kind of routing issue, but am not sure at > this point. I have been looking at the newsgroups and am finding that, > if I am understanding correctly, the PIX will not send packets back > out the same interface in which they arrived. > > I am rather new at working with PIXs and Cisco routers, so my > understanding is not that great on this issue. Basically I need help > on figuring out how to get the ALL traffic to come across the VPN to > run through our proxy at the HQ. If you need more info, please let me > know. > > Thank you in advance for all your help. It might be something simple as split tunnel. Check ACL used in crypto map on PIX. If it allows only internal IP ranges, rest of the traffic from branch office will be sent to internet directly. Regards, Andrey. |