We hadn't look at it this way yet. Going to give it a try this afternoon. Thanks
-----Original Message----- From: Davies,Matt [mailto:[email protected]] Sent: Thursday, May 21, 2009 2:23 PM To: NT System Admin Issues Subject: RE: Cheap/Free Simple Web Proxy Server? I presuming that both ends of the VPN are cisco ASA's if so, it should be simple. You won't need to change any IP routes on the ASA on the remote site, all you need to change is what traffic gets pushed over the VPN tunnel. There are two access lists you will need to change, that is associated with the crypto map, and one that is associate with the nat statement You will also need to make sure that the main site default gateway, knows who to get to the remote site via the asa on the main site. Here is a config I have taken from the cisco website. In theory if you change the "172.16.1.0 255.255.255.0" in both the access lists to "0.0.0.0 0.0.0.0" it should work. interface Ethernet0 nameif outside security-level 0 ip address 10.10.10.1 255.255.255.0 !--- Configure the outside interface. ! interface Ethernet1 nameif inside security-level 100 ip address 172.22.1.163 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.22.1.0 255.255.255.0 172 16.1.0 255.255.255.0 !--- This access list (inside_nat0_outbound) is used with the nat zero command. !--- This prevents traffic which matches the access list from undergoing !--- network address translation (NAT). The traffic specified by this ACL is !--- traffic that is to be encrypted and !--- sent across the VPN tunnel. This ACL is intentionally !--- the same as (outside_cryptomap_20). !--- Two separate access lists should always be used in this configuration. access-list outside_cryptomap_20 extended permit ip 172.22.1.0 255.255.255.0 172 16.1.0 255.255.255.0 !--- This access list (outside_cryptomap_20) is used with the crypto map !--- outside_map to determine which traffic should be encrypted and sent !--- across the tunnel. !--- This ACL is intentionally the same as (inside_nat0_outbound). !--- Two separate access lists should always be used in this configuration. nat (inside) 0 access-list inside_nat0_outbound !--- NAT 0 prevents NAT for networks specified in the ACL inside_nat0_outbound. route outside 0.0.0.0 0.0.0.0 10.10.10.2 1 !--- PHASE 2 CONFIGURATION ---! !--- The encryption types for Phase 2 are defined here. crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac !--- Define the transform set for Phase 2. crypto map outside_map 20 match address outside_cryptomap_20 !--- Define which traffic should be sent to the IPsec peer. crypto map outside_map 20 set peer 10.20.20.1 !--- Sets the IPsec peer crypto map outside_map 20 set transform-set ESP-AES-256-SHA !--- Sets the IPsec transform set "ESP-AES-256-SHA" !--- to be used with the crypto map entry "outside_map". crypto map outside_map interface outside !--- Specifies the interface to be used with !--- the settings defined in this configuration. !--- PHASE 1 CONFIGURATION ---! !--- This configuration uses isakmp policy 10. !--- Policy 65535 is included in the config by default. !--- The configuration commands here define the Phase !--- 1 policy parameters that are used. isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 5 isakmp policy 10 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 tunnel-group 10.20.20.1 type ipsec-l2l !--- In order to create and manage the database of connection-specific records !--- for ipsec-l2l-IPsec (LAN-to-LAN) tunnels, use the tunnel-group !--- command in global configuration mode. !--- For L2L connections the name of the tunnel group MUST be the IP !--- address of the IPsec peer. tunnel-group 10.20.20.1 ipsec-attributes pre-shared-key * !--- Enter the pre-shared-key in order to configure the authentication method. -----Original Message----- From: N Parr [mailto:[email protected]] Sent: 21 May 2009 18:45 To: NT System Admin Issues Subject: RE: Cheap/Free Simple Web Proxy Server? I guess a little more info is in order. Our VPN is a hardware (over the internet) VPN. Not a dedicated WAN. So the remote gateway of the ASA has to be the ISP's gateway in order to find the main office. If it was a WAN connection there wouldn't be any issues to begin with. So I can't route all traffic without breaking my connection to the internet. I did finally figure out that the barracuda will work as a proxy, I just have to point the client to port 8080. I've looked at squid in the past and will have to use it if my client base grows more, but if that happens there are other things that will have to change to so it will probably be irrelevant anyway. Thanks Niles -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Thursday, May 21, 2009 10:42 AM To: NT System Admin Issues Subject: Re: Cheap/Free Simple Web Proxy Server? On Thu, May 21, 2009 at 9:16 AM, N Parr <[email protected]> wrote: > I have a few pc's at a remote location connected via hardware VPN with > our ASA's. I want to set up a simple software proxy on a VM and > direct their browsing to it so they have to pass through our Barracuda > at the main office for Web filtering. In that scenario, I'd agree with what others have said -- why not just route *all* traffic over the VPN? That way you've got just one firewall, at HQ, you have to worry about. Is there some traffic you don't want traversing the VPN? I'd also agree that in this scenario, you don't need a web proxy at the remote site just for access control -- you can just as easily point IE to use your Barracuda at HQ as a local proxy. The one thing I'd put a proxy at the remote site for is for caching at the remote site, so that frequently-requested pages/objects don't make the trip over the VPN as often. For that, Squid is free and works well. Configuration can be as complex as you want to make it, but for a simple forwarding cache with no access control or authentication, it's only a few lines in the config file. I could post an example if you like. --- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ _____________________________________________________________ This e-mail (including all attachments) is confidential and may be privileged. It is for the exclusive use of the addressee only. If you are not the addressee, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately at [email protected] <mailto:[email protected]>. Thank You. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
