VPN Clients accessing Internet

Answered Question
May 4th, 2009
User Badges:

Hello


Is it possible for a VPN Client user to access the Internet when the VPN Router is not the Internet Gateway. I got this to work by using a Proxy Server, but I'd rather not do that.


Thanks

Correct Answer by r.bishop about 8 years 2 months ago

OK - based on the equipment you have and the current topology, in my opinion your best bet is to continue with the proxy server. This will also give you control over what users can access while they are also connected to the corporate network which is no bad thing.


There may be something that you could do with Policy Based Routing based on using the source addresses of the VPN pool, but this starts to become messy.


Unless there is a neat way of enabling hairpinning in IOS, as is available on the ASA, I would stay with the proxy server.


Hope this helps?


Thanks,

Russell

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
r.bishop Tue, 05/05/2009 - 05:01
User Badges:

Hi,


It sounds to me like you are describing a need for "split tunneling" whereby a client can connect to a VPN router/firewall whilst also connecting directly to the Internet without having to send Internet traffic via the VPN tunnel.


This is configurable with Cisco routers/firewalls however it is a security risk and is not recommended since if the client is compromised while connected to the Internet and corporate network at the same time it could open a big hole into the network.


Here is a link for the IOS Router config:


http://www.cisco.com/en/US/partner/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml


There are some firewalls (e.g. ASA-55xx) that support VPN "hairpinning" that allows Internet bound traffic to be routed back out of the outside interface without having to pass through a proxy server first. This is more secure than allowing split-tunneling, but may introduce a performance overhead.


You also mention that the VPN router is not the Internet gateway. If neither of the above is appropriate then it may be worth sending in a network topology just to understand your setup a little better?


Thanks

Russell

infosateng Tue, 05/05/2009 - 07:28
User Badges:

Thanks Russell


If you could have a quick look at this diagram to see if we can do something else, as I don't want to setup Split Tunneling, and I'm using a Router not an ASA.


If your ecommendatio is just to use a Proxy we will just have to live with that.


Thanks



r.bishop Tue, 05/05/2009 - 08:29
User Badges:

Hi there,


I'm having problems reading the document. Are you able to save it in a different format?


Thanks

Russell

Correct Answer
r.bishop Tue, 05/05/2009 - 13:31
User Badges:

OK - based on the equipment you have and the current topology, in my opinion your best bet is to continue with the proxy server. This will also give you control over what users can access while they are also connected to the corporate network which is no bad thing.


There may be something that you could do with Policy Based Routing based on using the source addresses of the VPN pool, but this starts to become messy.


Unless there is a neat way of enabling hairpinning in IOS, as is available on the ASA, I would stay with the proxy server.


Hope this helps?


Thanks,

Russell

r.bishop Wed, 05/06/2009 - 00:47
User Badges:

Hi there,


One more thought and may be worth a try - if you have any spare interfaces on the firewalls you could create a "DMZ" and terminate the inside interface of the VPN router on there. You would also need to add a policy based route on the VPN router to send all traffic from the VPN pool range to the DMZ interface. The firewalls would then need to be configured to NAT and route this traffic out to the Internet or simply route to the internal LAN. You may also need to add a static route on the firewalls to send all traffic destined for the VPN pool back to the VPN router. This way the Internet traffic can also be monitored by your corporate firewalls.


To be honest though I'm not sure what you would gain from doing this since using the proxy server will achieve pretty much the same result without using any more interfaces on your firewall?


Thanks

Russell

Actions

This Discussion