Re: VPN with access to Internet

vidaluzarista · ‎12-05-2005

Hi All, I have a VPN between my NOC and a remote point, I want that the internet access (browse, mail etc) of my user in the remote point use the proxy of my NOC, I need that they use the internet of my NOC.

I need to control the access to Internet, at the moment the users connect myself to the VPN

to accesar the systems nevertheless to make use of Internet leave using the connection of

internet provider.

How I can do so that they use the Internet of the NOC using the VPN?

In my router the configuration is:

ip audit notify log

ip audit po max-events 100

ip ssh break-string

no ftp-server write-enable

no scripting tcl init

no scripting tcl encdir

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key xxx address x.x.x.x

!

crypto ipsec transform-set DICE esp-3des esp-sha-hmac

!

crypto map DICE 10 ipsec-isakmp

description DICE-CE

set peer 165.98.23.66

set transform-set DICE

match address 100

!

interface Ethernet0

ip address 192.168.120.250 255.255.255.0

ip nat inside

no cdp enable

hold-queue 32 in

!

interface Ethernet1

ip address 165.98.23.50 255.255.255.240

ip nat outside

duplex full

no cdp enable

crypto map DICE

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 101 interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 165.98.23.49

ip route 165.98.23.64 255.255.255.240 165.98.236.49

ip route 192.168.2.0 255.255.255.0 165.98.23.66

no ip http server

no ip http secure-server

!

access-list 100 permit ip 192.168.120.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip 192.168.120.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.120.0 0.0.0.255 any

snmp-server community public RO

snmp-server enable traps tty

!

control-plane

!

line con 0

exec-timeout 120 0

no modem enable

transport preferred all

transport output all

stopbits 1

line aux 0

transport preferred all

transport output all

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

spremkumar · ‎12-05-2005

Hi

I feel you have posted the config of the router kept in ur NOC which has the crypto map set and ACL too encrypting the traffic matching 192.168.120.0 0.0.0.255 192.168.2.0 0.0.0.255..

can you revert whether you are using a router there in the remote location with which u r establishing the VPN ?

Also can you post out the config of the remote router config ??

If u place a default route pointing towards you noc end router ip that will take care of that.But make sure you are encrypting only the interesting traffic which is required to do so.

I meant interesting traffic as the traffic between ur locations and which are sensitive in nature not the internet traffic ..

regds

tcordier · ‎12-06-2005

Hi Vida,

I assume you pasted the configuration of your hub (NOC) router, and that you have a similar configuration at the remote site. I also assume that you want to make sure that all users on the remote site do pass through the proxy at the NOC when they access the Internet, and that local Internet traffic is not possible at the remote site.

In order to achieve this you can use the crypto-map and configure it to send all traffic in the IPSec tunnel. For example:

access-list 100 permit ip x.x.x.x 0.0.0.255 0.0.0.0 0 0.0.0.0

where x.x.x.x is the local subnet used in your remote location. All traffic will then be encrypted and be forced to the IPSec peer. Additionally, you need to configure the local browsers to use the proxy in the NOC location, and make sure that the IPSec peer in the NOC has routing to the proxy.

In this way, the local users can not access Internet on the remote site. Additionally (or alternatively) you could disable NAT on the remote site. If they is no NAT configuration, Internet browsing will also become impossible over the local Internet access.

HTH, Thomas

baudhayan · ‎12-11-2005

I dont know whether I'm rite or wrong...but d best solution 2 this problem is 2 throw d Internet settings for ur PC from the Central Server (id u r using Windows ADS) using Group Policies. Also disable d option 2 uncheck Proxy setings using group policies.