Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Internet traffic through VPN to

Reply
Thread Tools

Internet traffic through VPN to

 
 
deca2499
Guest
Posts: n/a
 
      06-17-2008
Hello everyone,

I am trying to figure out a problem we are having at the company I
work at. Let me give you a bit of an overview.

HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
(Changed the first octet for security). Inside IP of 172.20.180.96/27
Branch in Pasadena, California with a PIX 506E, outside IP of
132.15.161.122. Inside IP 172.20.180.129/26.

The problem I am having is that HQ has a proxy that monitors Internet
traffic and websites. Branch office is not getting Internet traffic
through the proxy. They can get to unauthorized and blocked websites.
I am thinking it may be some kind of routing issue, but am not sure at
this point. I have been looking at the newsgroups and am finding that,
if I am understanding correctly, the PIX will not send packets back
out the same interface in which they arrived.

I am rather new at working with PIXs and Cisco routers, so my
understanding is not that great on this issue. Basically I need help
on figuring out how to get the ALL traffic to come across the VPN to
run through our proxy at the HQ. If you need more info, please let me
know.

Thank you in advance for all your help.
 
Reply With Quote
 
 
 
 
deca2499
Guest
Posts: n/a
 
      06-17-2008
On Jun 17, 10:50*am, artie lange <(E-Mail Removed)> wrote:
> deca2499 wrote:
> > The problem I am having is that HQ has a proxy that monitors Internet
> > traffic and websites. Branch office is not getting Internet traffic
> > through the proxy. They can get to unauthorized and blocked websites.
> > I am thinking it may be some kind of routing issue, but am not sure at
> > this point. I have been looking at the newsgroups and am finding that,
> > if I am understanding correctly, the PIX will not send packets back
> > out the same interface in which they arrived.

>
> A couple of options, block http/https traffic from exiting the 506E at
> the branch office and force the http/https connections through the HQ.
> Also have you identified the proxy server in the settings of the browser?
>
> In regards to the PIX sending packets out the same interface it arrived
> on, it all depends of the OS version of the PIX and VPN concentrator.


If I were to block the http/https traffic from exiting the 506E, what
kind of rule would I use to force it through the VPN tunnel compared
to dropping all http/s traffic? Would I have to put in a rule that
tells it to go to the VPN and not bypass? I am new to dealing with
more than the simple home firewall.

Thank you for your prompt response..
 
Reply With Quote
 
 
 
 
Andrey Tarasov
Guest
Posts: n/a
 
      06-17-2008
deca2499 wrote:

> I am trying to figure out a problem we are having at the company I
> work at. Let me give you a bit of an overview.
>
> HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
> (Changed the first octet for security). Inside IP of 172.20.180.96/27
> Branch in Pasadena, California with a PIX 506E, outside IP of
> 132.15.161.122. Inside IP 172.20.180.129/26.
>
> The problem I am having is that HQ has a proxy that monitors Internet
> traffic and websites. Branch office is not getting Internet traffic
> through the proxy. They can get to unauthorized and blocked websites.
> I am thinking it may be some kind of routing issue, but am not sure at
> this point. I have been looking at the newsgroups and am finding that,
> if I am understanding correctly, the PIX will not send packets back
> out the same interface in which they arrived.
>
> I am rather new at working with PIXs and Cisco routers, so my
> understanding is not that great on this issue. Basically I need help
> on figuring out how to get the ALL traffic to come across the VPN to
> run through our proxy at the HQ. If you need more info, please let me
> know.
>
> Thank you in advance for all your help.


It might be something simple as split tunnel. Check ACL used in crypto
map on PIX. If it allows only internal IP ranges, rest of the traffic
from branch office will be sent to internet directly.

Regards,
Andrey.
 
Reply With Quote
 
deca2499
Guest
Posts: n/a
 
      06-17-2008
On Jun 17, 12:46*pm, artie lange <(E-Mail Removed)> wrote:
> deca2499 wrote:
> > If I were to block the http/https traffic from exiting the 506E, what
> > kind of rule would I use to force it through the VPN tunnel compared
> > to dropping all http/s traffic? Would I have to put in a rule that
> > tells it to go to the VPN and not bypass? I am new to dealing with
> > more than the simple home firewall.

>
> > Thank you for your prompt response..

>
> no if you are using a true proxy server, you need to configure the
> internet browser to use a proxy server address. What web filtering
> technologies are you using (Name, brand, etc..)


I was wrong to say that we are using a proxy. However, the
webfiltering software we are using is eSafe.
 
Reply With Quote
 
deca2499
Guest
Posts: n/a
 
      06-17-2008
On Jun 17, 12:51*pm, Andrey Tarasov <(E-Mail Removed)> wrote:
> deca2499 wrote:
> > I am trying to figure out a problem we are having at the company I
> > work at. Let me give you a bit of an overview.

>
> > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
> > (Changed the first octet for security). Inside IP of 172.20.180.96/27
> > Branch in Pasadena, California with a PIX 506E, outside IP of
> > 132.15.161.122. Inside IP 172.20.180.129/26.

>
> > The problem I am having is that HQ has a proxy that monitors Internet
> > traffic and websites. Branch office is not getting Internet traffic
> > through the proxy. They can get to unauthorized and blocked websites.
> > I am thinking it may be some kind of routing issue, but am not sure at
> > this point. I have been looking at the newsgroups and am finding that,
> > if I am understanding correctly, the PIX will not send packets back
> > out the same interface in which they arrived.

>
> > I am rather new at working with PIXs and Cisco routers, so my
> > understanding is not that great on this issue. Basically I need help
> > on figuring out how to get the ALL traffic to come across the VPN to
> > run through our proxy at the HQ. If you need more info, please let me
> > know.

>
> > Thank you in advance for all your help.

>
> It might be something simple as split tunnel. Check ACL used in crypto
> map on PIX. If it allows only internal IP ranges, rest of the traffic
> from branch office will be sent to internet directly.
>
> Regards,
> Andrey.- Hide quoted text -
>
> - Show quoted text -


Here is everything that I can find with regards to crypto map on the
PIX:

crypto map vpn2 10 ipsec-isakmp
crypto map vpn2 10 match address 101
crypto map vpn2 10 set peer VPNConcentrator
crypto map vpn2 10 set transform-set vpn2
crypto map vpn2 interface outside

 
Reply With Quote
 
deca2499
Guest
Posts: n/a
 
      06-17-2008
On Jun 17, 2:01*pm, deca2499 <(E-Mail Removed)> wrote:
> On Jun 17, 12:51*pm, Andrey Tarasov <(E-Mail Removed)> wrote:
>
>
>
>
>
> > deca2499 wrote:
> > > I am trying to figure out a problem we are having at the company I
> > > work at. Let me give you a bit of an overview.

>
> > > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
> > > (Changed the first octet for security). Inside IP of 172.16.180.96/27
> > > Branch in Pasadena, California with a PIX 506E, outside IP of
> > > 132.15.161.122. Inside IP 172.16.180.129/26.

>
> > > The problem I am having is that HQ has a proxy that monitors Internet
> > > traffic and websites. Branch office is not getting Internet traffic
> > > through the proxy. They can get to unauthorized and blocked websites.
> > > I am thinking it may be some kind of routing issue, but am not sure at
> > > this point. I have been looking at the newsgroups and am finding that,
> > > if I am understanding correctly, the PIX will not send packets back
> > > out the same interface in which they arrived.

>
> > > I am rather new at working with PIXs and Cisco routers, so my
> > > understanding is not that great on this issue. Basically I need help
> > > on figuring out how to get the ALL traffic to come across the VPN to
> > > run through our proxy at the HQ. If you need more info, please let me
> > > know.

>
> > > Thank you in advance for all your help.

>
> > It might be something simple as split tunnel. Check ACL used in crypto
> > map on PIX. If it allows only internal IP ranges, rest of the traffic
> > from branch office will be sent to internet directly.

>
> > Regards,
> > Andrey.- Hide quoted text -

>
> > - Show quoted text -

>
> Here is everything that I can find with regards to crypto map on the
> PIX:
>
> crypto map vpn2 10 ipsec-isakmp
> crypto map vpn2 10 match address 101
> crypto map vpn2 10 set peer VPNConcentrator
> crypto map vpn2 10 set transform-set vpn2
> crypto map vpn2 interface outside- Hide quoted text -
>
> - Show quoted text -


I was looking at the 506E setup and see all the ACL ip permits:
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0
255.255.255.192
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96
255.255.255.240
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68
255.255.255.252
access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64
255.255.255.252

Here is what I am not sure of, these three lines are for ATT.
All the lines above it are for closet switches, and the last three
lines are for the VPN concentrator, 2811 router, and 4507 switch that
is behind the 2811 router.

My question would be should there only be a link to ATT, and to the
VPN concentrator? I would think that the concentrator would forward
all packets from the VPN to the 2811 router. Am I correct in this
thinking?
The branch switch IP is the 172.16.180.128.
The internal interface on the 506 is 172.16.180.129.
 
Reply With Quote
 
deca2499
Guest
Posts: n/a
 
      06-17-2008
On Jun 17, 2:43*pm, deca2499 <(E-Mail Removed)> wrote:
> On Jun 17, 2:01*pm, deca2499 <(E-Mail Removed)> wrote:
>
>
>
>
>
> > On Jun 17, 12:51*pm, Andrey Tarasov <(E-Mail Removed)> wrote:

>
> > > deca2499 wrote:
> > > > I am trying to figure out a problem we are having at the company I
> > > > work at. Let me give you a bit of an overview.

>
> > > > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
> > > > (Changed the first octet for security). Inside IP of 172.16.180.96/27
> > > > Branch in Pasadena, California with a PIX 506E, outside IP of
> > > > 132.15.161.122. Inside IP 172.16.180.129/26.

>
> > > > The problem I am having is that HQ has a proxy that monitors Internet
> > > > traffic and websites. Branch office is not getting Internet traffic
> > > > through the proxy. They can get to unauthorized and blocked websites..
> > > > I am thinking it may be some kind of routing issue, but am not sure at
> > > > this point. I have been looking at the newsgroups and am finding that,
> > > > if I am understanding correctly, the PIX will not send packets back
> > > > out the same interface in which they arrived.

>
> > > > I am rather new at working with PIXs and Cisco routers, so my
> > > > understanding is not that great on this issue. Basically I need help
> > > > on figuring out how to get the ALL traffic to come across the VPN to
> > > > run through our proxy at the HQ. If you need more info, please let me
> > > > know.

>
> > > > Thank you in advance for all your help.

>
> > > It might be something simple as split tunnel. Check ACL used in crypto
> > > map on PIX. If it allows only internal IP ranges, rest of the traffic
> > > from branch office will be sent to internet directly.

>
> > > Regards,
> > > Andrey.- Hide quoted text -

>
> > > - Show quoted text -

>
> > Here is everything that I can find with regards to crypto map on the
> > PIX:

>
> > crypto map vpn2 10 ipsec-isakmp
> > crypto map vpn2 10 match address 101
> > crypto map vpn2 10 set peer VPNConcentrator
> > crypto map vpn2 10 set transform-set vpn2
> > crypto map vpn2 interface outside- Hide quoted text -

>
> > - Show quoted text -

>
> I was looking at the 506E setup and see all the ACL ip permits:
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0
> 255.255.255.192
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96
> 255.255.255.240
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68
> 255.255.255.252
> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64
> 255.255.255.252
>
> Here is what I am not sure of, these three lines are for ATT.
> All the lines above it are for closet switches, and the last three
> lines are for the VPN concentrator, 2811 router, and 4507 switch that
> is behind the 2811 router.
>
> My question would be should there only be a link to ATT, and to the
> VPN concentrator? I would think that the concentrator would forward
> all packets from the VPN to the 2811 router. Am I correct in this
> thinking?
> The branch switch IP is the 172.16.180.128.
> The internal interface on the 506 is 172.16.180.129.- Hide quoted text -
>
> - Show quoted text -

Oooppss.. These three lines for ATT...
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
255.255.255.0
access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
255.255.255.0
 
Reply With Quote
 
Andrey Tarasov
Guest
Posts: n/a
 
      06-17-2008
deca2499 wrote:

>>> On Jun 17, 12:51*pm, Andrey Tarasov <(E-Mail Removed)> wrote:
>>>> deca2499 wrote:
>>>>> I am trying to figure out a problem we are having at the company I
>>>>> work at. Let me give you a bit of an overview.
>>>>> HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
>>>>> (Changed the first octet for security). Inside IP of 172.16.180.96/27
>>>>> Branch in Pasadena, California with a PIX 506E, outside IP of
>>>>> 132.15.161.122. Inside IP 172.16.180.129/26.
>>>>> The problem I am having is that HQ has a proxy that monitors Internet
>>>>> traffic and websites. Branch office is not getting Internet traffic
>>>>> through the proxy. They can get to unauthorized and blocked websites.
>>>>> I am thinking it may be some kind of routing issue, but am not sure at
>>>>> this point. I have been looking at the newsgroups and am finding that,
>>>>> if I am understanding correctly, the PIX will not send packets back
>>>>> out the same interface in which they arrived.
>>>>> I am rather new at working with PIXs and Cisco routers, so my
>>>>> understanding is not that great on this issue. Basically I need help
>>>>> on figuring out how to get the ALL traffic to come across the VPN to
>>>>> run through our proxy at the HQ. If you need more info, please let me
>>>>> know.
>>>>> Thank you in advance for all your help.
>>>> It might be something simple as split tunnel. Check ACL used in crypto
>>>> map on PIX. If it allows only internal IP ranges, rest of the traffic
>>>> from branch office will be sent to internet directly.
>>>> Regards,
>>>> Andrey.- Hide quoted text -
>>>> - Show quoted text -
>>> Here is everything that I can find with regards to crypto map on the
>>> PIX:
>>> crypto map vpn2 10 ipsec-isakmp
>>> crypto map vpn2 10 match address 101
>>> crypto map vpn2 10 set peer VPNConcentrator
>>> crypto map vpn2 10 set transform-set vpn2
>>> crypto map vpn2 interface outside- Hide quoted text -
>>> - Show quoted text -

>> I was looking at the 506E setup and see all the ACL ip permits:
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0
>> 255.255.255.192
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
>> 255.255.255.0
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96
>> 255.255.255.240
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68
>> 255.255.255.252
>> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64
>> 255.255.255.252
>>
>> Here is what I am not sure of, these three lines are for ATT.
>> All the lines above it are for closet switches, and the last three
>> lines are for the VPN concentrator, 2811 router, and 4507 switch that
>> is behind the 2811 router.
>>
>> My question would be should there only be a link to ATT, and to the
>> VPN concentrator? I would think that the concentrator would forward
>> all packets from the VPN to the 2811 router. Am I correct in this
>> thinking?
>> The branch switch IP is the 172.16.180.128.
>> The internal interface on the 506 is 172.16.180.129.- Hide quoted text -
>>
>> - Show quoted text -

> Oooppss.. These three lines for ATT...
> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
> 255.255.255.0
> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
> 255.255.255.0


Assuming you posted complete ACL 101, VPN tunnel between 506E and
concentrator is indeed split one. Only traffic between branch and HQ is
being sent over the tunnel. Traffic to Internet is being sent directly.

Regards,
Andrey.
 
Reply With Quote
 
deca2499
Guest
Posts: n/a
 
      06-18-2008
On Jun 17, 6:06*pm, Andrey Tarasov <(E-Mail Removed)> wrote:
> deca2499 wrote:
> >>> On Jun 17, 12:51*pm, Andrey Tarasov <(E-Mail Removed)> wrote:
> >>>> deca2499 wrote:
> >>>>> I am trying to figure out a problem we are having at the company I
> >>>>> work at. Let me give you a bit of an overview.
> >>>>> HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
> >>>>> (Changed the first octet for security). Inside IP of 172.16.180.96/27
> >>>>> Branch in Pasadena, California with a PIX 506E, outside IP of
> >>>>> 132.15.161.122. Inside IP 172.16.180.129/26.
> >>>>> The problem I am having is that HQ has a proxy that monitors Internet
> >>>>> traffic and websites. Branch office is not getting Internet traffic
> >>>>> through the proxy. They can get to unauthorized and blocked websites.
> >>>>> I am thinking it may be some kind of routing issue, but am not sure at
> >>>>> this point. I have been looking at the newsgroups and am finding that,
> >>>>> if I am understanding correctly, the PIX will not send packets back
> >>>>> out the same interface in which they arrived.
> >>>>> I am rather new at working with PIXs and Cisco routers, so my
> >>>>> understanding is not that great on this issue. Basically I need help
> >>>>> on figuring out how to get the ALL traffic to come across the VPN to
> >>>>> run through our proxy at the HQ. If you need more info, please let me
> >>>>> know.
> >>>>> Thank you in advance for all your help.
> >>>> It might be something simple as split tunnel. Check ACL used in crypto
> >>>> map on PIX. If it allows only internal IP ranges, rest of the traffic
> >>>> from branch office will be sent to internet directly.
> >>>> Regards,
> >>>> Andrey.- Hide quoted text -
> >>>> - Show quoted text -
> >>> Here is everything that I can find with regards to crypto map on the
> >>> PIX:
> >>> crypto map vpn2 10 ipsec-isakmp
> >>> crypto map vpn2 10 match address 101
> >>> crypto map vpn2 10 set peer VPNConcentrator
> >>> crypto map vpn2 10 set transform-set vpn2
> >>> crypto map vpn2 interface outside- Hide quoted text -
> >>> - Show quoted text -
> >> I was looking at the 506E setup and see all the ACL ip permits:
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0
> >> 255.255.255.192
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
> >> 255.255.255.0
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96
> >> 255.255.255.240
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68
> >> 255.255.255.252
> >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64
> >> 255.255.255.252

>
> >> Here is what I am not sure of, these three lines are for ATT.
> >> All the lines above it are for closet switches, and the last three
> >> lines are for the VPN concentrator, 2811 router, and 4507 switch that
> >> is behind the 2811 router.

>
> >> My question would be should there only be a link to ATT, and to the
> >> VPN concentrator? I would think that the concentrator would forward
> >> all packets from the VPN to the 2811 router. Am I correct in this
> >> thinking?
> >> The branch switch IP is the 172.16.180.128.
> >> The internal interface on the 506 is 172.16.180.129.- Hide quoted text -

>
> >> - Show quoted text -

> > Oooppss.. These three lines for ATT...
> > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
> > 255.255.255.0
> > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
> > 255.255.255.0
> > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
> > 255.255.255.0

>
> Assuming you posted complete ACL 101, VPN tunnel between 506E and
> concentrator is indeed split one. Only traffic between branch and HQ is
> being sent over the tunnel. Traffic to Internet is being sent directly.
>
> Regards,
> Andrey.- Hide quoted text -
>
> - Show quoted text -


That is what I was thinking but wanted confirmation. Now comes the fun
part, which part do we need to take out to force it across the tunnel?
If we take out the ACL going to the 128.170.x.x, would that cut off
all Internet access including the tunnel? My thinking would be that
the only ACL that would need to be there would be the one to the
router at HQ right? Or would it need to be going to the concentrator
and drop the ACL to the router?

Thank you.

Scott
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing Question - How to send default internet traffic to PIX and VPN traffic from router out internet Evolution Cisco 1 02-27-2007 10:00 PM
solution to "*some* return traffic not going through vpn tunnel (although not all)" b0rez@yahoo.co.uk Cisco 3 02-08-2006 11:55 AM
*some* return traffic not going through vpn tunnel (although not all) b0rez@yahoo.co.uk Cisco 0 12-20-2005 03:17 PM
Cisco VPN Client connects but no traffic passes through. Mephesto Cisco 0 06-24-2005 04:24 PM
VPN tunnel seems fine but no traffic is passing through it. Paul Cisco 2 01-13-2005 10:38 PM



Advertisments