All networktraffic through VPN

Unanswered Question
May 10th, 2007

I'm no expert so I hope I explain everything right.

Let me first say something about our configuration a little bit: we have 3 sites: one main (A) and to branch offices (B+C). All have diferent subnets: 192.168.10.0 (A), 192.168.20 (B) and 192.168.30.0 (C). On each of them we have a Cisco 878 router. A VPN connection is configured between these sites. At the mainsite (A) we have an ISA server. Behind it is a Cisco 877 router connected to the internet. At site A all traffic meant for the internet (browsing etc.) passes through the ISA server and the 877 router.

I was told, that it was not possible to route all networktraffic from e.g. a client at site B through the router on site B to the router at site A and from there to the ISA server onto the internet (in case client at site B is browsing the internet e.g.). They said it is only possible to route traffic for the different subnets, but all other traffic would go directly onto the internet from the router at site B or C. Other option was to block all traffic from the branch offices to the internet except for traffic between subnets. The only way to force a client to use the ISA server was by configure it as a proxyclient (which has drawbacks)

My question: is the person who installed it, telling me the correct story?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hoogen_82 Thu, 05/10/2007 - 10:30

I am not sure if this is the answer your looking for. Assuming the ISA server is your web prozy server. All the users in the browser lan settings would have their proxy web address as the ISA server. So now to access internet they would come across the wan through your VPN to the ISA server and from there they would get access to the Intenet, now to ensure that everyone has this enabled in their browser on your site A 877 router put a access-list allowing web access only from your ISA server. This way all other trying to go outside directly without the ISA being the proxy would have thier traffic dropped. Another thing instead of having internet traffic coming to the 877 router and then getting dropped, you could put an access-list on the site router itself being port specific so that the bandwidth is used properly and not wasted.

If proxy is a problem i don't see any other method. I use Squid proxy running on Linux which is excellent and don't see any problem using it.

HTH

Hoogen

Actions

This Discussion