Internet traffic through VPN to

Internet traffic through VPN to
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Internet traffic through VPN to deca2499 06-17-2008
Posted by deca2499 on June 17, 2008, 9:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello everyone,

I am trying to figure out a problem we are having at the company I
work at. Let me give you a bit of an overview.

HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
(Changed the first octet for security). Inside IP of 172.20.180.96/27
Branch in Pasadena, California with a PIX 506E, outside IP of
132.15.161.122. Inside IP 172.20.180.129/26.

The problem I am having is that HQ has a proxy that monitors Internet
traffic and websites. Branch office is not getting Internet traffic
through the proxy. They can get to unauthorized and blocked websites.
I am thinking it may be some kind of routing issue, but am not sure at
this point. I have been looking at the newsgroups and am finding that,
if I am understanding correctly, the PIX will not send packets back
out the same interface in which they arrived.

I am rather new at working with PIXs and Cisco routers, so my
understanding is not that great on this issue. Basically I need help
on figuring out how to get the ALL traffic to come across the VPN to
run through our proxy at the HQ. If you need more info, please let me
know.

Thank you in advance for all your help.

NMFall 20%
Posted by artie lange on June 17, 2008, 10:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
deca2499 wrote:

> The problem I am having is that HQ has a proxy that monitors Internet
> traffic and websites. Branch office is not getting Internet traffic
> through the proxy. They can get to unauthorized and blocked websites.
> I am thinking it may be some kind of routing issue, but am not sure at
> this point. I have been looking at the newsgroups and am finding that,
> if I am understanding correctly, the PIX will not send packets back
> out the same interface in which they arrived.

A couple of options, block http/https traffic from exiting the 506E at
the branch office and force the http/https connections through the HQ.
Also have you identified the proxy server in the settings of the browser?

In regards to the PIX sending packets out the same interface it arrived
on, it all depends of the OS version of the PIX and VPN concentrator.

Posted by deca2499 on June 17, 2008, 12:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> deca2499 wrote:
> > The problem I am having is that HQ has a proxy that monitors Internet
> > traffic and websites. Branch office is not getting Internet traffic
> > through the proxy. They can get to unauthorized and blocked websites.
> > I am thinking it may be some kind of routing issue, but am not sure at
> > this point. I have been looking at the newsgroups and am finding that,
> > if I am understanding correctly, the PIX will not send packets back
> > out the same interface in which they arrived.
>
> A couple of options, block http/https traffic from exiting the 506E at
> the branch office and force the http/https connections through the HQ.
> Also have you identified the proxy server in the settings of the browser?
>
> In regards to the PIX sending packets out the same interface it arrived
> on, it all depends of the OS version of the PIX and VPN concentrator.

If I were to block the http/https traffic from exiting the 506E, what
kind of rule would I use to force it through the VPN tunnel compared
to dropping all http/s traffic? Would I have to put in a rule that
tells it to go to the VPN and not bypass? I am new to dealing with
more than the simple home firewall.

Thank you for your prompt response..

Posted by artie lange on June 17, 2008, 12:46 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
deca2499 wrote:

> If I were to block the http/https traffic from exiting the 506E, what
> kind of rule would I use to force it through the VPN tunnel compared
> to dropping all http/s traffic? Would I have to put in a rule that
> tells it to go to the VPN and not bypass? I am new to dealing with
> more than the simple home firewall.
>
> Thank you for your prompt response..


no if you are using a true proxy server, you need to configure the
internet browser to use a proxy server address. What web filtering
technologies are you using (Name, brand, etc..)

Posted by deca2499 on June 17, 2008, 1:44 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> deca2499 wrote:
> > If I were to block the http/https traffic from exiting the 506E, what
> > kind of rule would I use to force it through the VPN tunnel compared
> > to dropping all http/s traffic? Would I have to put in a rule that
> > tells it to go to the VPN and not bypass? I am new to dealing with
> > more than the simple home firewall.
>
> > Thank you for your prompt response..
>
> no if you are using a true proxy server, you need to configure the
> internet browser to use a proxy server address. What web filtering
> technologies are you using (Name, brand, etc..)

I was wrong to say that we are using a proxy. However, the
webfiltering software we are using is eSafe.

Similar ThreadsPosted
Routing Question - How to send default internet traffic to PIX and VPN traffic from router out internet February 27, 2007, 1:58 pm
837 won't pass traffic from eth0 to internet July 3, 2005, 8:34 pm
Logging hangs the PIX - Stops internet traffic March 24, 2007, 6:06 am
Forwarding traffic originating from a specific Internet host October 11, 2006, 8:49 am
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? September 3, 2007, 12:22 pm
2 sites, connected with PPP T1, internet connetion on both sides - REDUNDANT INTERNET POSSIBLE? August 20, 2004, 3:14 pm
How does typical ISP traffic shaping/bandwidth limiting work ? Do ISP's allow bursty traffic per second ? January 19, 2006, 3:50 pm
traffic-shaping limit ftp traffic October 7, 2005, 8:51 am
Traffic-shaping traffic with precedence 2 June 12, 2008, 5:05 am
Traffic-shaping traffic with precedence 2 June 12, 2008, 11:14 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map