help!: vpn client can't surf the Internet via proxy-cache server

Discussion in 'Cisco' started by untitled, Nov 20, 2003.

  1. untitled

    untitled Guest

    Hi all,

    I am using a cisco VPN 3000 series concentrator for remote access VPN
    for staff. The public interface of this VPN box is in the same subnet as
    our web cache server (eg, 211.1.1.0/24). The private interface of this
    VPN box is in a different subnet (eg, 192.168.1.0/24). The VPN clients,
    once connected and tunnelling set up, are given a client IP in the same
    private subnet as the VPN private interface (eg, 192.168.1.100).

    There is a problem accessing the company web cache server from VPN
    clients. The VPN clients cannot reach it or is being blocked. The web
    cache server is supposed to be used when the VPN client connects to the
    Internet, but not when accessing the intranet (ie, direct to intranet).

    The routing in the VPN box are as follows:

    default -> 211.1.1.1 (gateway of the public subnet)
    211.1.1.0/24 -> 192.168.1.1 (gateway of the private subnet)
    172.16.0.0/16 -> 192.168.1.1 (for the corporate intranet)
    The gateway for tunnelled traffic is set to 192.168.1.1.

    It says the 192.168.1.1 gateway is to be used when the VPN client access
    the web cache server inside 211.1.1.0/24, just like when accessing the
    corporate intranet servers inside 172.16.0.0/16, but it doesn't work.

    Note that although the web cache server is not inside the intranet, it
    is only allowed access by "inside" IPs (172.16.0.0/16 and
    192.168.1.0/24). And it knows how to route between itself and 192.168.1.0/24

    If I skip the web cache server in the browser settings and goes direct
    to the Internet (just like accessing the intranet), it works.

    Could it be that the web cache server does not know how to route the
    request back to the VPN client via the tunnel, possibly due to a
    mis-configuration on the VPN box? Or the web browser uses the public IP
    given by the ISP during dialup, instead of the tunnelled client IP?

    Can someone enlighten me? Many thanks.

    Mun
     
    untitled, Nov 20, 2003
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.