branch to central office vpn with internet via the central office

cmelbourne · ‎06-13-2006

We have a vpn between a branch and central office, We want to control the internet access from the branch office so basically any users in the branch office who wants to access a website will have to come over the vpn to the central office and break out via another seperate internet connection.

Is this just a case of permitting the access-list from any to any in the vpn and then creating the default route to the central office vpn termination point ?

thomuff · ‎06-13-2006

We have a similiar configuration. We are allowing any to any in the vpn. Our vpn termination point for the tunnel at the central office is a VPN Concentrator. The traffic is routed through the internal network over to the PIX and then out. I would limit access on the inside interface of the PIX. Other options, would be using a proxy with a Web Content Filter, or using a Web Content Filter that is mirroring the Internal interface or a Filter that works with the PIX. Or you could use a an appliance at the remote office that acts a Web Content Filter and a vpn end point

Hope this helps

Richard Burts · ‎06-13-2006

I am not clear in the original post whether Chris is talking about a router to router VPN, a router to Concentrator VPN, and router to Firewall VPN, or a software client to Concentrator (or Firewall or Router) VPN. The solution will be somewhat different depending on which type of VPN it is. Perhaps Chris can clarify and then we will be in a position to give better answers.

HTH

Rick

HTH

Rick

cmelbourne · ‎06-13-2006

Thanks for the emails.

I am using a cisoc 2800 series in central office and a 1841 in branch office to create the vpn tunnel.

Richard Burts · ‎06-13-2006

Chris

Thanks for the additional information. It is helpful to know that it is a router to router VPN. I believe that the key to achieving your objective is dependent on how you have configured routing on the remote router. Are you running a dynamic routing protocol to the remote router or are you doing static routes (and default route) on the remote router. The key is what kind of default route the remote router has. If it has a default route where the next hop if the provider device out of your public interface then you have no control over their web access. If you have a default route which points to your central router (over the VPN) as the next hop then all their Internet traffic will be sent to your central router and you will have control over their Internet traffic.

If you want to be very sure that this solution works you could configure an access list outbound on the public interface which would deny any outbound traffic that was not going through the VPN.

HTH

Rick

HTH

Rick

atif.awan · ‎06-13-2006

Rick,

If he configures the crypto ACL in a way that it matches his internal subnet as source and any destination there should be no reason to worry about the default route on the remote router ... dont you think? In this case the default will only serve to provide ip reachability to the other end of the VPN tunnel and all packets from inside LAN should match the crypto ACL and get sent over the IPSec tunnel. Once the decryption happens on the other side normal routing will carry them either to remote subnet or to the internet. What is your opinion about this?

Richard Burts · ‎06-13-2006

Atif

My answer was based on how I have configured this kind of situation. What will be the result if there is no SA for the remote peer (problem on the remote peer or something) so there is no IPSec tunnel and the default still points out to the provider?

HTH

Rick

HTH

Rick

atif.awan · ‎06-13-2006

Good question. My guess would be that nothing will go through. Have you tested a situation like this? If yes what was the result?