Solved

Configure certain traffic not to use VPN tunnel

Posted on 2009-07-13
8
568 Views
Last Modified: 2012-05-07
We have our remote locations that connect to our main site through a VPN tunnel.to make use of web filtering, email, home directories, IDS, etc. There is a hosted time keeping application that is experiecing some latency issues and the vendor is claiming the problem is not at their end. I need to prove to them that it is. Is there a way to route that particular traffic to go straight out to the internet instead of the VPN? My IP Route 0.0.0.0 0.0.0.0 Statement uses the tunneI interface.with an associated access list.
0
Comment
Question by:InSearchOf
  • 4
  • 4
8 Comments
 
LVL 3

Expert Comment

by:rmconard
ID: 24842777
This is strange.

VPN servers should usually be hooked up to routers. The router provides the connectivity and Internet usage for people coming in through the VPN tunnels.

It sounds to me like what you're asking is how to remove the VPN and put people straight on the Internet. That would work, but only for those already within your LAN.

People on the WAN who are remoting in will not be able to connect if you disable VPN.

Or, maybe I'm not understanding you correctly.

-Ryan


0
 

Author Comment

by:InSearchOf
ID: 24850249
The way we have it is there is just one router at each remote location configured to connect to a VPN router at the main office through a tunnel using IPSEC and 3DES encryption. Users at the remote location connect to a switch which inturn connects to one Ethernet port (private side) and the other Ehernet port connects to the ISP's router (public side). We use Websense for content filtering, a File Server for user home directory and Exchange at the main oofice. There are no servers at the remote locations.
0
 
LVL 3

Expert Comment

by:rmconard
ID: 24850533
I still don't think I'm getting the full picture.

This whole thing sounds like a LAN, which makes me question why you even have a VPN to begin with.

So let me see if I can draw the picture... you have "remote" offices throughout a territory. The computers at these offices go through a hub/switch, which then connects to a router which is connected to the ISP's modem. This allows external Internet access. Sounds like a normal set up to me.

So now you have the "main" office. At the main office you have all the servers including a file server, Exchange server and content filter (firewall). Again, this sounds normal.

So... if I'm correct so far, then let me ask this question:

At your remote locations, are these locations connected on a WAN to your main location? By this I mean, are they in an MPLS, PIP or Frame Relay set up?

If they are in a WAN with your main location then there is NO need to have anyone from your remote locations connect to your main location through a VPN.

If they are NOT in a WAN with your main location, then the ONLY efficient way to have your remote computers connected to your main location servers is through the VPN tunnel. This essentially creates the WAN configuration.

Get what I'm saying?

-Ryan
0
 

Author Comment

by:InSearchOf
ID: 24853648
Yes Ryan. I get what you are saying. My situation is as you state in the last portion of your comment as they are not on a WAN with our main location. What I am asking is how to exclude certain traffic at one of our remote locations from going through the Tunnel and instead go straight out to the internet  thereby bypassing the filtering and firewall at the main office so I can verify that it is or is not adding excessive latency to our hosted application.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 3

Expert Comment

by:rmconard
ID: 24854068
Just tell them not to use the VPN.

You said in your above post that they DO have outbound Internet access at these remote locations. In order for them to connect to the main location they need to VPN in, well... just tell them not to do that.

I still don't think we're on the right page together, but it's a simple process. Your remote locations should just be able to turn on the computers, open Internet Explorer and connect to the Internet through the ISP you're paying for WITHOUT having to dial into the VPN. The VPN should be an optional connection and only used to get them connected on the WAN so they can access Exchange and file sharing at the main location.

However, if the VPN is your only option of remoting in, then even though they will have external Internet, they will not be able to get Exchange email and all that.

I hope this makes sense.

-Ryan
0
 

Author Comment

by:InSearchOf
ID: 24858053
Yes Ryan I think we are still not on the same page. My apologies. Let me try and explain myself a little better. What we have at each location is a Cisco 1841 router that is configured to do DHCP with the Router as the Default Gateway. The router is configured to pass all traffic through the Tunnel Interface. Users can not bybass this as the switch is configured with the router as it's Default Gateway. If I had an extra port on my router I could connect a workstation with a public IP to test but I don't. I only have two Ethernet ports. One connects to my Cisco 2960 switch for the inside Lan and the other port connects to the ISP's Router. Any suggestions would be grealy appreciated.
0
 
LVL 3

Accepted Solution

by:
rmconard earned 500 total points
ID: 24858636
Ah, I got it.

The best advice I can offer is to remove the Router and Switch completely, purchase a decent size hub and hook the hub directly to the ISP's modem. Then hook all the workstations to the hub. This will remove the need to VPN in and everyone will have direct Internet access.

Or, buy another router (something) small, configure it for direct Internet access, hook it up to the ISP's modem directly and then hook the Cisco 1841 to the new router. Now, the Cisco 1841 should still operate the same as long as the new router is just a plain, basic DHCP router. But, the plus side is that now whatever computers you don't want to use the Tunnel you can just unplug from the switch and plug directly into the new router, which is DHCP.

-Ryan
0
 

Author Comment

by:InSearchOf
ID: 24861758
Ok. The second choice has possibilities. The first choice would cut everyone off the company network.  Thanks for the suggestions Ryan.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now