Castlewood
asked on
How to use VPN's gateway while connecting internet from home?
We set up ACL on firewall in Head Quarter to allow the Branch office public IP to get in to access a web server in HQ. So users inside Branch office can access the web server without a problem. But when they go home, even with VPN connected to the Branch office, they are still not able to access that web server in HQ, because it is the public IP of their home network they use , instead of the Branch office public IP, to access internet.
Of course we may open all the users' home public IP in the HQ firewall but we don't want to do that. Is there a way for users from home with the VPN connected to the Branch office to be able to access the web server in HQ ?
Of course we may open all the users' home public IP in the HQ firewall but we don't want to do that. Is there a way for users from home with the VPN connected to the Branch office to be able to access the web server in HQ ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Reece
or connect to the VPN, get the local IP address of the webserver and set that up in your home user's hosts file so that any lookups for work.web.corp are resolved directly to the webserver's local IP rather than WAN IP
Also consider using IPsec VPN with Split Tunneling. That avoids this problem altogether.
Hi There,
My opinion would be to implement the below:
i)
Remote VPN configuration on the branch office with a separate dynamic pool alloted for the same.
ii)
Site to site VPN between the headquarters and the branch office .
This would ensure privacy in the communication.
Ensure that the VPN pool is defined in the interesting traffic configuration.
My opinion would be to implement the below:
i)
Remote VPN configuration on the branch office with a separate dynamic pool alloted for the same.
ii)
Site to site VPN between the headquarters and the branch office .
This would ensure privacy in the communication.
Ensure that the VPN pool is defined in the interesting traffic configuration.
ASKER
Kaffiend,
You mentioned "If your firewall supports it, have it so that connected VPN clients tunnel everything through the VPN".
Can you advise which function or feature I should enable on my SonicWall firewall for this purpose?
You mentioned "If your firewall supports it, have it so that connected VPN clients tunnel everything through the VPN".
Can you advise which function or feature I should enable on my SonicWall firewall for this purpose?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.
This does work but in some cases web browsing becomes quite slow while everything tunnels through our VPN. Particularly this branch office is in China. All their traffic with VPN connected will be routed via tunnel to our VPN server in Maryland, US, and it does cost the speed.
To work out, I have been trying to figure out how to use the following command to add a persistent route so users at home can simply run it and can access this web appliance (xxx.xxx.xx.201) via our branch office's IP range which is whitelisted in HQ:
route -p xxx.xxx.xx.201 vpn_gateway if 32
The problem is, I don't know how to get the vpn_gateway using script since vpn connection most of time only shows "on-link" as the gateway.
Can you help?
This does work but in some cases web browsing becomes quite slow while everything tunnels through our VPN. Particularly this branch office is in China. All their traffic with VPN connected will be routed via tunnel to our VPN server in Maryland, US, and it does cost the speed.
To work out, I have been trying to figure out how to use the following command to add a persistent route so users at home can simply run it and can access this web appliance (xxx.xxx.xx.201) via our branch office's IP range which is whitelisted in HQ:
route -p xxx.xxx.xx.201 vpn_gateway if 32
The problem is, I don't know how to get the vpn_gateway using script since vpn connection most of time only shows "on-link" as the gateway.
Can you help?
Hi there,
Kindly confirm how is your branch and HQ connected.
Eg:
consider remote vpn pool 10.10.10.1 - 10.10.10.10
user connects to branch office and gets an IP 10.10.10.2.
If the HQ firewall has an access -list to permit 10.10.10.x subnet to access the web server, then things should be good to go...
Kindly confirm how is your branch and HQ connected.
Eg:
consider remote vpn pool 10.10.10.1 - 10.10.10.10
user connects to branch office and gets an IP 10.10.10.2.
If the HQ firewall has an access -list to permit 10.10.10.x subnet to access the web server, then things should be good to go...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
On the SonicaWall VPN server we can check "Set Default Route as tehis Gateway" but it will route all client's traffic via our HQ. Later we figured we can:
1. set up a RDP server on HD and after clients connect VPN they connect to the RDP server to run the Web app so the IP will be from the HQ's.
2. On teh HQ IIS server, put a link of the web app on the webpage so users can click it and the IP used will be form HQ's.
1. set up a RDP server on HD and after clients connect VPN they connect to the RDP server to run the Web app so the IP will be from the HQ's.
2. On teh HQ IIS server, put a link of the web app on the webpage so users can click it and the IP used will be form HQ's.