Internet traffic through VPN to

Discussion in 'Cisco' started by deca2499, Jun 17, 2008.

  1. deca2499

    deca2499 Guest

    Hello everyone,

    I am trying to figure out a problem we are having at the company I
    work at. Let me give you a bit of an overview.

    HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
    (Changed the first octet for security). Inside IP of 172.20.180.96/27
    Branch in Pasadena, California with a PIX 506E, outside IP of
    132.15.161.122. Inside IP 172.20.180.129/26.

    The problem I am having is that HQ has a proxy that monitors Internet
    traffic and websites. Branch office is not getting Internet traffic
    through the proxy. They can get to unauthorized and blocked websites.
    I am thinking it may be some kind of routing issue, but am not sure at
    this point. I have been looking at the newsgroups and am finding that,
    if I am understanding correctly, the PIX will not send packets back
    out the same interface in which they arrived.

    I am rather new at working with PIXs and Cisco routers, so my
    understanding is not that great on this issue. Basically I need help
    on figuring out how to get the ALL traffic to come across the VPN to
    run through our proxy at the HQ. If you need more info, please let me
    know.

    Thank you in advance for all your help.
     
    deca2499, Jun 17, 2008
    #1
    1. Advertising

  2. deca2499

    deca2499 Guest

    On Jun 17, 10:50 am, artie lange <> wrote:
    > deca2499 wrote:
    > > The problem I am having is that HQ has a proxy that monitors Internet
    > > traffic and websites. Branch office is not getting Internet traffic
    > > through the proxy. They can get to unauthorized and blocked websites.
    > > I am thinking it may be some kind of routing issue, but am not sure at
    > > this point. I have been looking at the newsgroups and am finding that,
    > > if I am understanding correctly, the PIX will not send packets back
    > > out the same interface in which they arrived.

    >
    > A couple of options, block http/https traffic from exiting the 506E at
    > the branch office and force the http/https connections through the HQ.
    > Also have you identified the proxy server in the settings of the browser?
    >
    > In regards to the PIX sending packets out the same interface it arrived
    > on, it all depends of the OS version of the PIX and VPN concentrator.


    If I were to block the http/https traffic from exiting the 506E, what
    kind of rule would I use to force it through the VPN tunnel compared
    to dropping all http/s traffic? Would I have to put in a rule that
    tells it to go to the VPN and not bypass? I am new to dealing with
    more than the simple home firewall.

    Thank you for your prompt response..
     
    deca2499, Jun 17, 2008
    #2
    1. Advertising

  3. deca2499 wrote:

    > I am trying to figure out a problem we are having at the company I
    > work at. Let me give you a bit of an overview.
    >
    > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
    > (Changed the first octet for security). Inside IP of 172.20.180.96/27
    > Branch in Pasadena, California with a PIX 506E, outside IP of
    > 132.15.161.122. Inside IP 172.20.180.129/26.
    >
    > The problem I am having is that HQ has a proxy that monitors Internet
    > traffic and websites. Branch office is not getting Internet traffic
    > through the proxy. They can get to unauthorized and blocked websites.
    > I am thinking it may be some kind of routing issue, but am not sure at
    > this point. I have been looking at the newsgroups and am finding that,
    > if I am understanding correctly, the PIX will not send packets back
    > out the same interface in which they arrived.
    >
    > I am rather new at working with PIXs and Cisco routers, so my
    > understanding is not that great on this issue. Basically I need help
    > on figuring out how to get the ALL traffic to come across the VPN to
    > run through our proxy at the HQ. If you need more info, please let me
    > know.
    >
    > Thank you in advance for all your help.


    It might be something simple as split tunnel. Check ACL used in crypto
    map on PIX. If it allows only internal IP ranges, rest of the traffic
    from branch office will be sent to internet directly.

    Regards,
    Andrey.
     
    Andrey Tarasov, Jun 17, 2008
    #3
  4. deca2499

    deca2499 Guest

    On Jun 17, 12:46 pm, artie lange <> wrote:
    > deca2499 wrote:
    > > If I were to block the http/https traffic from exiting the 506E, what
    > > kind of rule would I use to force it through the VPN tunnel compared
    > > to dropping all http/s traffic? Would I have to put in a rule that
    > > tells it to go to the VPN and not bypass? I am new to dealing with
    > > more than the simple home firewall.

    >
    > > Thank you for your prompt response..

    >
    > no if you are using a true proxy server, you need to configure the
    > internet browser to use a proxy server address. What web filtering
    > technologies are you using (Name, brand, etc..)


    I was wrong to say that we are using a proxy. However, the
    webfiltering software we are using is eSafe.
     
    deca2499, Jun 17, 2008
    #4
  5. deca2499

    deca2499 Guest

    On Jun 17, 12:51 pm, Andrey Tarasov <> wrote:
    > deca2499 wrote:
    > > I am trying to figure out a problem we are having at the company I
    > > work at. Let me give you a bit of an overview.

    >
    > > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.20.180.90/30
    > > (Changed the first octet for security). Inside IP of 172.20.180.96/27
    > > Branch in Pasadena, California with a PIX 506E, outside IP of
    > > 132.15.161.122. Inside IP 172.20.180.129/26.

    >
    > > The problem I am having is that HQ has a proxy that monitors Internet
    > > traffic and websites. Branch office is not getting Internet traffic
    > > through the proxy. They can get to unauthorized and blocked websites.
    > > I am thinking it may be some kind of routing issue, but am not sure at
    > > this point. I have been looking at the newsgroups and am finding that,
    > > if I am understanding correctly, the PIX will not send packets back
    > > out the same interface in which they arrived.

    >
    > > I am rather new at working with PIXs and Cisco routers, so my
    > > understanding is not that great on this issue. Basically I need help
    > > on figuring out how to get the ALL traffic to come across the VPN to
    > > run through our proxy at the HQ. If you need more info, please let me
    > > know.

    >
    > > Thank you in advance for all your help.

    >
    > It might be something simple as split tunnel. Check ACL used in crypto
    > map on PIX. If it allows only internal IP ranges, rest of the traffic
    > from branch office will be sent to internet directly.
    >
    > Regards,
    > Andrey.- Hide quoted text -
    >
    > - Show quoted text -


    Here is everything that I can find with regards to crypto map on the
    PIX:

    crypto map vpn2 10 ipsec-isakmp
    crypto map vpn2 10 match address 101
    crypto map vpn2 10 set peer VPNConcentrator
    crypto map vpn2 10 set transform-set vpn2
    crypto map vpn2 interface outside
     
    deca2499, Jun 17, 2008
    #5
  6. deca2499

    deca2499 Guest

    On Jun 17, 2:01 pm, deca2499 <> wrote:
    > On Jun 17, 12:51 pm, Andrey Tarasov <> wrote:
    >
    >
    >
    >
    >
    > > deca2499 wrote:
    > > > I am trying to figure out a problem we are having at the company I
    > > > work at. Let me give you a bit of an overview.

    >
    > > > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
    > > > (Changed the first octet for security). Inside IP of 172.16.180.96/27
    > > > Branch in Pasadena, California with a PIX 506E, outside IP of
    > > > 132.15.161.122. Inside IP 172.16.180.129/26.

    >
    > > > The problem I am having is that HQ has a proxy that monitors Internet
    > > > traffic and websites. Branch office is not getting Internet traffic
    > > > through the proxy. They can get to unauthorized and blocked websites.
    > > > I am thinking it may be some kind of routing issue, but am not sure at
    > > > this point. I have been looking at the newsgroups and am finding that,
    > > > if I am understanding correctly, the PIX will not send packets back
    > > > out the same interface in which they arrived.

    >
    > > > I am rather new at working with PIXs and Cisco routers, so my
    > > > understanding is not that great on this issue. Basically I need help
    > > > on figuring out how to get the ALL traffic to come across the VPN to
    > > > run through our proxy at the HQ. If you need more info, please let me
    > > > know.

    >
    > > > Thank you in advance for all your help.

    >
    > > It might be something simple as split tunnel. Check ACL used in crypto
    > > map on PIX. If it allows only internal IP ranges, rest of the traffic
    > > from branch office will be sent to internet directly.

    >
    > > Regards,
    > > Andrey.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Here is everything that I can find with regards to crypto map on the
    > PIX:
    >
    > crypto map vpn2 10 ipsec-isakmp
    > crypto map vpn2 10 match address 101
    > crypto map vpn2 10 set peer VPNConcentrator
    > crypto map vpn2 10 set transform-set vpn2
    > crypto map vpn2 interface outside- Hide quoted text -
    >
    > - Show quoted text -


    I was looking at the 506E setup and see all the ACL ip permits:
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0
    255.255.255.192
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96
    255.255.255.240
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68
    255.255.255.252
    access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64
    255.255.255.252

    Here is what I am not sure of, these three lines are for ATT.
    All the lines above it are for closet switches, and the last three
    lines are for the VPN concentrator, 2811 router, and 4507 switch that
    is behind the 2811 router.

    My question would be should there only be a link to ATT, and to the
    VPN concentrator? I would think that the concentrator would forward
    all packets from the VPN to the 2811 router. Am I correct in this
    thinking?
    The branch switch IP is the 172.16.180.128.
    The internal interface on the 506 is 172.16.180.129.
     
    deca2499, Jun 17, 2008
    #6
  7. deca2499

    deca2499 Guest

    On Jun 17, 2:43 pm, deca2499 <> wrote:
    > On Jun 17, 2:01 pm, deca2499 <> wrote:
    >
    >
    >
    >
    >
    > > On Jun 17, 12:51 pm, Andrey Tarasov <> wrote:

    >
    > > > deca2499 wrote:
    > > > > I am trying to figure out a problem we are having at the company I
    > > > > work at. Let me give you a bit of an overview.

    >
    > > > > HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
    > > > > (Changed the first octet for security). Inside IP of 172.16.180.96/27
    > > > > Branch in Pasadena, California with a PIX 506E, outside IP of
    > > > > 132.15.161.122. Inside IP 172.16.180.129/26.

    >
    > > > > The problem I am having is that HQ has a proxy that monitors Internet
    > > > > traffic and websites. Branch office is not getting Internet traffic
    > > > > through the proxy. They can get to unauthorized and blocked websites..
    > > > > I am thinking it may be some kind of routing issue, but am not sure at
    > > > > this point. I have been looking at the newsgroups and am finding that,
    > > > > if I am understanding correctly, the PIX will not send packets back
    > > > > out the same interface in which they arrived.

    >
    > > > > I am rather new at working with PIXs and Cisco routers, so my
    > > > > understanding is not that great on this issue. Basically I need help
    > > > > on figuring out how to get the ALL traffic to come across the VPN to
    > > > > run through our proxy at the HQ. If you need more info, please let me
    > > > > know.

    >
    > > > > Thank you in advance for all your help.

    >
    > > > It might be something simple as split tunnel. Check ACL used in crypto
    > > > map on PIX. If it allows only internal IP ranges, rest of the traffic
    > > > from branch office will be sent to internet directly.

    >
    > > > Regards,
    > > > Andrey.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > Here is everything that I can find with regards to crypto map on the
    > > PIX:

    >
    > > crypto map vpn2 10 ipsec-isakmp
    > > crypto map vpn2 10 match address 101
    > > crypto map vpn2 10 set peer VPNConcentrator
    > > crypto map vpn2 10 set transform-set vpn2
    > > crypto map vpn2 interface outside- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > I was looking at the 506E setup and see all the ACL ip permits:
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0
    > 255.255.255.192
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96
    > 255.255.255.240
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68
    > 255.255.255.252
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64
    > 255.255.255.252
    >
    > Here is what I am not sure of, these three lines are for ATT.
    > All the lines above it are for closet switches, and the last three
    > lines are for the VPN concentrator, 2811 router, and 4507 switch that
    > is behind the 2811 router.
    >
    > My question would be should there only be a link to ATT, and to the
    > VPN concentrator? I would think that the concentrator would forward
    > all packets from the VPN to the 2811 router. Am I correct in this
    > thinking?
    > The branch switch IP is the 172.16.180.128.
    > The internal interface on the 506 is 172.16.180.129.- Hide quoted text -
    >
    > - Show quoted text -

    Oooppss.. These three lines for ATT...
    access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
    255.255.255.0
    access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
    255.255.255.0
     
    deca2499, Jun 17, 2008
    #7
  8. deca2499 wrote:

    >>> On Jun 17, 12:51 pm, Andrey Tarasov <> wrote:
    >>>> deca2499 wrote:
    >>>>> I am trying to figure out a problem we are having at the company I
    >>>>> work at. Let me give you a bit of an overview.
    >>>>> HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
    >>>>> (Changed the first octet for security). Inside IP of 172.16.180.96/27
    >>>>> Branch in Pasadena, California with a PIX 506E, outside IP of
    >>>>> 132.15.161.122. Inside IP 172.16.180.129/26.
    >>>>> The problem I am having is that HQ has a proxy that monitors Internet
    >>>>> traffic and websites. Branch office is not getting Internet traffic
    >>>>> through the proxy. They can get to unauthorized and blocked websites.
    >>>>> I am thinking it may be some kind of routing issue, but am not sure at
    >>>>> this point. I have been looking at the newsgroups and am finding that,
    >>>>> if I am understanding correctly, the PIX will not send packets back
    >>>>> out the same interface in which they arrived.
    >>>>> I am rather new at working with PIXs and Cisco routers, so my
    >>>>> understanding is not that great on this issue. Basically I need help
    >>>>> on figuring out how to get the ALL traffic to come across the VPN to
    >>>>> run through our proxy at the HQ. If you need more info, please let me
    >>>>> know.
    >>>>> Thank you in advance for all your help.
    >>>> It might be something simple as split tunnel. Check ACL used in crypto
    >>>> map on PIX. If it allows only internal IP ranges, rest of the traffic
    >>>> from branch office will be sent to internet directly.
    >>>> Regards,
    >>>> Andrey.- Hide quoted text -
    >>>> - Show quoted text -
    >>> Here is everything that I can find with regards to crypto map on the
    >>> PIX:
    >>> crypto map vpn2 10 ipsec-isakmp
    >>> crypto map vpn2 10 match address 101
    >>> crypto map vpn2 10 set peer VPNConcentrator
    >>> crypto map vpn2 10 set transform-set vpn2
    >>> crypto map vpn2 interface outside- Hide quoted text -
    >>> - Show quoted text -

    >> I was looking at the 506E setup and see all the ACL ip permits:
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0
    >> 255.255.255.192
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
    >> 255.255.255.0
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96
    >> 255.255.255.240
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68
    >> 255.255.255.252
    >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64
    >> 255.255.255.252
    >>
    >> Here is what I am not sure of, these three lines are for ATT.
    >> All the lines above it are for closet switches, and the last three
    >> lines are for the VPN concentrator, 2811 router, and 4507 switch that
    >> is behind the 2811 router.
    >>
    >> My question would be should there only be a link to ATT, and to the
    >> VPN concentrator? I would think that the concentrator would forward
    >> all packets from the VPN to the 2811 router. Am I correct in this
    >> thinking?
    >> The branch switch IP is the 172.16.180.128.
    >> The internal interface on the 506 is 172.16.180.129.- Hide quoted text -
    >>
    >> - Show quoted text -

    > Oooppss.. These three lines for ATT...
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
    > 255.255.255.0
    > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
    > 255.255.255.0


    Assuming you posted complete ACL 101, VPN tunnel between 506E and
    concentrator is indeed split one. Only traffic between branch and HQ is
    being sent over the tunnel. Traffic to Internet is being sent directly.

    Regards,
    Andrey.
     
    Andrey Tarasov, Jun 17, 2008
    #8
  9. deca2499

    deca2499 Guest

    On Jun 17, 6:06 pm, Andrey Tarasov <> wrote:
    > deca2499 wrote:
    > >>> On Jun 17, 12:51 pm, Andrey Tarasov <> wrote:
    > >>>> deca2499 wrote:
    > >>>>> I am trying to figure out a problem we are having at the company I
    > >>>>> work at. Let me give you a bit of an overview.
    > >>>>> HQ in Mason, Ohio with a VPN3005, Outside IP of 172.16.180.90/30
    > >>>>> (Changed the first octet for security). Inside IP of 172.16.180.96/27
    > >>>>> Branch in Pasadena, California with a PIX 506E, outside IP of
    > >>>>> 132.15.161.122. Inside IP 172.16.180.129/26.
    > >>>>> The problem I am having is that HQ has a proxy that monitors Internet
    > >>>>> traffic and websites. Branch office is not getting Internet traffic
    > >>>>> through the proxy. They can get to unauthorized and blocked websites.
    > >>>>> I am thinking it may be some kind of routing issue, but am not sure at
    > >>>>> this point. I have been looking at the newsgroups and am finding that,
    > >>>>> if I am understanding correctly, the PIX will not send packets back
    > >>>>> out the same interface in which they arrived.
    > >>>>> I am rather new at working with PIXs and Cisco routers, so my
    > >>>>> understanding is not that great on this issue. Basically I need help
    > >>>>> on figuring out how to get the ALL traffic to come across the VPN to
    > >>>>> run through our proxy at the HQ. If you need more info, please let me
    > >>>>> know.
    > >>>>> Thank you in advance for all your help.
    > >>>> It might be something simple as split tunnel. Check ACL used in crypto
    > >>>> map on PIX. If it allows only internal IP ranges, rest of the traffic
    > >>>> from branch office will be sent to internet directly.
    > >>>> Regards,
    > >>>> Andrey.- Hide quoted text -
    > >>>> - Show quoted text -
    > >>> Here is everything that I can find with regards to crypto map on the
    > >>> PIX:
    > >>> crypto map vpn2 10 ipsec-isakmp
    > >>> crypto map vpn2 10 match address 101
    > >>> crypto map vpn2 10 set peer VPNConcentrator
    > >>> crypto map vpn2 10 set transform-set vpn2
    > >>> crypto map vpn2 interface outside- Hide quoted text -
    > >>> - Show quoted text -
    > >> I was looking at the 506E setup and see all the ACL ip permits:
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.0
    > >> 255.255.255.192
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.137.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.138.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.187.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.186.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.182.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.211.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
    > >> 255.255.255.0
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.96
    > >> 255.255.255.240
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.68
    > >> 255.255.255.252
    > >> access-list 101 permit ip 172.16.180.128 255.255.255.192 172.16.180.64
    > >> 255.255.255.252

    >
    > >> Here is what I am not sure of, these three lines are for ATT.
    > >> All the lines above it are for closet switches, and the last three
    > >> lines are for the VPN concentrator, 2811 router, and 4507 switch that
    > >> is behind the 2811 router.

    >
    > >> My question would be should there only be a link to ATT, and to the
    > >> VPN concentrator? I would think that the concentrator would forward
    > >> all packets from the VPN to the 2811 router. Am I correct in this
    > >> thinking?
    > >> The branch switch IP is the 172.16.180.128.
    > >> The internal interface on the 506 is 172.16.180.129.- Hide quoted text -

    >
    > >> - Show quoted text -

    > > Oooppss.. These three lines for ATT...
    > > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.205.0
    > > 255.255.255.0
    > > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.65.0
    > > 255.255.255.0
    > > access-list 101 permit ip 172.16.180.128 255.255.255.192 128.170.64.0
    > > 255.255.255.0

    >
    > Assuming you posted complete ACL 101, VPN tunnel between 506E and
    > concentrator is indeed split one. Only traffic between branch and HQ is
    > being sent over the tunnel. Traffic to Internet is being sent directly.
    >
    > Regards,
    > Andrey.- Hide quoted text -
    >
    > - Show quoted text -


    That is what I was thinking but wanted confirmation. Now comes the fun
    part, which part do we need to take out to force it across the tunnel?
    If we take out the ACL going to the 128.170.x.x, would that cut off
    all Internet access including the tunnel? My thinking would be that
    the only ACL that would need to be there would be the one to the
    router at HQ right? Or would it need to be going to the concentrator
    and drop the ACL to the router?

    Thank you.

    Scott
     
    deca2499, Jun 18, 2008
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page