Configure certain traffic not to use VPN tunnel

We have our remote locations that connect to our main site through a VPN tunnel.to make use of web filtering, email, home directories, IDS, etc. There is a hosted time keeping application that is experiecing some latency issues and the vendor is claiming the problem is not at their end. I need to prove to them that it is. Is there a way to route that particular traffic to go straight out to the internet instead of the VPN? My IP Route 0.0.0.0 0.0.0.0 Statement uses the tunneI interface.with an associated access list.
InSearchOfAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rmconardCommented:
This is strange.

VPN servers should usually be hooked up to routers. The router provides the connectivity and Internet usage for people coming in through the VPN tunnels.

It sounds to me like what you're asking is how to remove the VPN and put people straight on the Internet. That would work, but only for those already within your LAN.

People on the WAN who are remoting in will not be able to connect if you disable VPN.

Or, maybe I'm not understanding you correctly.

-Ryan


0
InSearchOfAuthor Commented:
The way we have it is there is just one router at each remote location configured to connect to a VPN router at the main office through a tunnel using IPSEC and 3DES encryption. Users at the remote location connect to a switch which inturn connects to one Ethernet port (private side) and the other Ehernet port connects to the ISP's router (public side). We use Websense for content filtering, a File Server for user home directory and Exchange at the main oofice. There are no servers at the remote locations.
0
rmconardCommented:
I still don't think I'm getting the full picture.

This whole thing sounds like a LAN, which makes me question why you even have a VPN to begin with.

So let me see if I can draw the picture... you have "remote" offices throughout a territory. The computers at these offices go through a hub/switch, which then connects to a router which is connected to the ISP's modem. This allows external Internet access. Sounds like a normal set up to me.

So now you have the "main" office. At the main office you have all the servers including a file server, Exchange server and content filter (firewall). Again, this sounds normal.

So... if I'm correct so far, then let me ask this question:

At your remote locations, are these locations connected on a WAN to your main location? By this I mean, are they in an MPLS, PIP or Frame Relay set up?

If they are in a WAN with your main location then there is NO need to have anyone from your remote locations connect to your main location through a VPN.

If they are NOT in a WAN with your main location, then the ONLY efficient way to have your remote computers connected to your main location servers is through the VPN tunnel. This essentially creates the WAN configuration.

Get what I'm saying?

-Ryan
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

InSearchOfAuthor Commented:
Yes Ryan. I get what you are saying. My situation is as you state in the last portion of your comment as they are not on a WAN with our main location. What I am asking is how to exclude certain traffic at one of our remote locations from going through the Tunnel and instead go straight out to the internet  thereby bypassing the filtering and firewall at the main office so I can verify that it is or is not adding excessive latency to our hosted application.
0
rmconardCommented:
Just tell them not to use the VPN.

You said in your above post that they DO have outbound Internet access at these remote locations. In order for them to connect to the main location they need to VPN in, well... just tell them not to do that.

I still don't think we're on the right page together, but it's a simple process. Your remote locations should just be able to turn on the computers, open Internet Explorer and connect to the Internet through the ISP you're paying for WITHOUT having to dial into the VPN. The VPN should be an optional connection and only used to get them connected on the WAN so they can access Exchange and file sharing at the main location.

However, if the VPN is your only option of remoting in, then even though they will have external Internet, they will not be able to get Exchange email and all that.

I hope this makes sense.

-Ryan
0
InSearchOfAuthor Commented:
Yes Ryan I think we are still not on the same page. My apologies. Let me try and explain myself a little better. What we have at each location is a Cisco 1841 router that is configured to do DHCP with the Router as the Default Gateway. The router is configured to pass all traffic through the Tunnel Interface. Users can not bybass this as the switch is configured with the router as it's Default Gateway. If I had an extra port on my router I could connect a workstation with a public IP to test but I don't. I only have two Ethernet ports. One connects to my Cisco 2960 switch for the inside Lan and the other port connects to the ISP's Router. Any suggestions would be grealy appreciated.
0
rmconardCommented:
Ah, I got it.

The best advice I can offer is to remove the Router and Switch completely, purchase a decent size hub and hook the hub directly to the ISP's modem. Then hook all the workstations to the hub. This will remove the need to VPN in and everyone will have direct Internet access.

Or, buy another router (something) small, configure it for direct Internet access, hook it up to the ISP's modem directly and then hook the Cisco 1841 to the new router. Now, the Cisco 1841 should still operate the same as long as the new router is just a plain, basic DHCP router. But, the plus side is that now whatever computers you don't want to use the Tunnel you can just unplug from the switch and plug directly into the new router, which is DHCP.

-Ryan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
InSearchOfAuthor Commented:
Ok. The second choice has possibilities. The first choice would cut everyone off the company network.  Thanks for the suggestions Ryan.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.