12-05-2005 09:28 AM - edited 03-03-2019 11:09 AM
Hi All, I have a VPN between my NOC and a remote point, I want that the internet access (browse, mail etc) of my user in the remote point use the proxy of my NOC, I need that they use the internet of my NOC.
I need to control the access to Internet, at the moment the users connect myself to the VPN
to accesar the systems nevertheless to make use of Internet leave using the connection of
internet provider.
How I can do so that they use the Internet of the NOC using the VPN?
In my router the configuration is:
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key xxx address x.x.x.x
!
!
crypto ipsec transform-set DICE esp-3des esp-sha-hmac
!
crypto map DICE 10 ipsec-isakmp
description DICE-CE
set peer 165.98.23.66
set transform-set DICE
match address 100
!
!
!
!
interface Ethernet0
ip address 192.168.120.250 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address 165.98.23.50 255.255.255.240
ip nat outside
duplex full
no cdp enable
crypto map DICE
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 101 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 165.98.23.49
ip route 165.98.23.64 255.255.255.240 165.98.236.49
ip route 192.168.2.0 255.255.255.0 165.98.23.66
no ip http server
no ip http secure-server
!
!
access-list 100 permit ip 192.168.120.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.120.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.120.0 0.0.0.255 any
snmp-server community public RO
snmp-server enable traps tty
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
12-05-2005 11:34 PM
Hi
I feel you have posted the config of the router kept in ur NOC which has the crypto map set and ACL too encrypting the traffic matching 192.168.120.0 0.0.0.255 192.168.2.0 0.0.0.255..
can you revert whether you are using a router there in the remote location with which u r establishing the VPN ?
Also can you post out the config of the remote router config ??
If u place a default route pointing towards you noc end router ip that will take care of that.But make sure you are encrypting only the interesting traffic which is required to do so.
I meant interesting traffic as the traffic between ur locations and which are sensitive in nature not the internet traffic ..
regds
12-06-2005 06:00 AM
Hi Vida,
I assume you pasted the configuration of your hub (NOC) router, and that you have a similar configuration at the remote site. I also assume that you want to make sure that all users on the remote site do pass through the proxy at the NOC when they access the Internet, and that local Internet traffic is not possible at the remote site.
In order to achieve this you can use the crypto-map and configure it to send all traffic in the IPSec tunnel. For example:
access-list 100 permit ip x.x.x.x 0.0.0.255 0.0.0.0 0 0.0.0.0
where x.x.x.x is the local subnet used in your remote location. All traffic will then be encrypted and be forced to the IPSec peer. Additionally, you need to configure the local browsers to use the proxy in the NOC location, and make sure that the IPSec peer in the NOC has routing to the proxy.
In this way, the local users can not access Internet on the remote site. Additionally (or alternatively) you could disable NAT on the remote site. If they is no NAT configuration, Internet browsing will also become impossible over the local Internet access.
HTH, Thomas
12-11-2005 08:25 AM
I dont know whether I'm rite or wrong...but d best solution 2 this problem is 2 throw d Internet settings for ur PC from the Central Server (id u r using Windows ADS) using Group Policies. Also disable d option 2 uncheck Proxy setings using group policies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide