Internet Access through a VPN

timpotter · ‎05-16-2001

Hello, We're looking to set up VPN's, and we already have a few in place, but our dilema is that we want to force the remote end to do all their internet access/browsing through us, and take advantage of our tracking, logging, firewall, etc. We have a 3005 on our end, and our two sites so far have a PIX 506 and a 1720. Both of these sites go out their own connection for internet access, and everything else goes though us (so this is essnetially split-tunneling) but that is not what we want. We are looking into the 3002 for some of our smaller sites. Can you hook up the 3002 and 3005 so that all the remote users (on the 3002 end) have to go out our internet connection for web access? I would think there has to be a way to make this work (via the 3002 or something else) to take advantage of centralized montioring & tracking. Let me know your thoughts!

Thanks,

-Tim

hinesd · ‎05-16-2001

I am assuming that your Internet connection is on the other side of the PIX.

If that is the case you should be able to set a rule there that wouyld allow Internet access from the remote site to go back out to the Internet.

I have a similar setup, remote users to a 3030 in paralell with a PIX. I had to DENY, at the PIX to dis-allow Internet browsing from the VPN.

Then it would just be a metter of pointing the routing statements to the PIX.

uoktay · ‎05-18-2001

Why not change your access lists (used for ipsec)in your pix and 1720 which captures interesting packets to your head office, so that the access lists capture every packet to tunnel them to your 3005. I don't know your how you positioned your 3005 and fw in your head office. According to your setup you may have to change the default gateway of tunneled traffic to your fw( if it is has to be different from the default gateway)