Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
6
Replies

VPN Clients accessing Internet

Go to solution
infosateng
Level 1
Level 1

‎05-04-2009 01:34 PM

Hello

Is it possible for a VPN Client user to access the Internet when the VPN Router is not the Internet Gateway. I got this to work by using a Proxy Server, but I'd rather not do that.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
r.bishop
Level 1
Level 1
In response to infosateng

‎05-05-2009 01:31 PM

OK - based on the equipment you have and the current topology, in my opinion your best bet is to continue with the proxy server. This will also give you control over what users can access while they are also connected to the corporate network which is no bad thing.

There may be something that you could do with Policy Based Routing based on using the source addresses of the VPN pool, but this starts to become messy.

Unless there is a neat way of enabling hairpinning in IOS, as is available on the ASA, I would stay with the proxy server.

Hope this helps?

Thanks,

Russell

View solution in original post

0 Helpful
6 Replies 6

Go to solution
r.bishop
Level 1
Level 1

‎05-05-2009 05:01 AM

Hi,

It sounds to me like you are describing a need for "split tunneling" whereby a client can connect to a VPN router/firewall whilst also connecting directly to the Internet without having to send Internet traffic via the VPN tunnel.

This is configurable with Cisco routers/firewalls however it is a security risk and is not recommended since if the client is compromised while connected to the Internet and corporate network at the same time it could open a big hole into the network.

Here is a link for the IOS Router config:

http://www.cisco.com/en/US/partner/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

There are some firewalls (e.g. ASA-55xx) that support VPN "hairpinning" that allows Internet bound traffic to be routed back out of the outside interface without having to pass through a proxy server first. This is more secure than allowing split-tunneling, but may introduce a performance overhead.

You also mention that the VPN router is not the Internet gateway. If neither of the above is appropriate then it may be worth sending in a network topology just to understand your setup a little better?

Thanks

Russell

0 Helpful

Go to solution
infosateng
Level 1
Level 1
In response to r.bishop

‎05-05-2009 07:28 AM

Thanks Russell

If you could have a quick look at this diagram to see if we can do something else, as I don't want to setup Split Tunneling, and I'm using a Router not an ASA.

If your ecommendatio is just to use a Proxy we will just have to live with that.

Thanks

Preview file
18 KB
0 Helpful

Go to solution
r.bishop
Level 1
Level 1
In response to infosateng

‎05-05-2009 08:29 AM

Hi there,

I'm having problems reading the document. Are you able to save it in a different format?

Thanks

Russell

0 Helpful

Go to solution
infosateng
Level 1
Level 1
In response to r.bishop

‎05-05-2009 08:32 AM

Ok, I've added as a JPEG

Preview file
34 KB
0 Helpful

Go to solution
r.bishop
Level 1
Level 1
In response to infosateng

‎05-05-2009 01:31 PM

OK - based on the equipment you have and the current topology, in my opinion your best bet is to continue with the proxy server. This will also give you control over what users can access while they are also connected to the corporate network which is no bad thing.

There may be something that you could do with Policy Based Routing based on using the source addresses of the VPN pool, but this starts to become messy.

Unless there is a neat way of enabling hairpinning in IOS, as is available on the ASA, I would stay with the proxy server.

Hope this helps?

Thanks,

Russell

0 Helpful

Go to solution
r.bishop
Level 1
Level 1
In response to r.bishop

‎05-06-2009 12:47 AM

Hi there,

One more thought and may be worth a try - if you have any spare interfaces on the firewalls you could create a "DMZ" and terminate the inside interface of the VPN router on there. You would also need to add a policy based route on the VPN router to send all traffic from the VPN pool range to the DMZ interface. The firewalls would then need to be configured to NAT and route this traffic out to the Internet or simply route to the internal LAN. You may also need to add a static route on the firewalls to send all traffic destined for the VPN pool back to the VPN router. This way the Internet traffic can also be monitored by your corporate firewalls.

To be honest though I'm not sure what you would gain from doing this since using the proxy server will achieve pretty much the same result without using any more interfaces on your firewall?

Thanks

Russell

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents