02-24-2003 08:40 AM - edited 02-20-2020 10:34 PM
Looking for any ideas:
I have installed vpn access on the pix. When the client logs
in from from home using their cable connection they can access everything
on the LAN. However, their Internet access does not work through there
local connection.
To fix this I let them point there browzer to the inside proxy server on the Network.
My question is, is there a way to let the user access the Internet other than
through the proxy i.e from there local cable connection?
Thanks
02-24-2003 01:55 PM
Using the windows dial-up vpn connection as the vpn client this is what we did -
Under the configuration of the dial-up connection uncheck the box "Use default gateway on remote network". This is found under the network tab, IP stack properties, advanced.
Then, and here's the trick, you need to create a static route on the client that points to your internal network and goes through the VPN tunnel. To do this manually, have the user connect, then run ipconfig /all or winipcfg to see what his ip address on the VPN adapter is. Then go to a dos prompt and type -
route add xx.xx.xx.xx mask yy.yy.yy.yy zz.zz.zz.zz
Where xx.xx.xx.xx is your internal network and yy.yy.yy.yy is the subnet mask. zz.zz.zz.zz is the vpn adapter ip address assigned by the pix when the user makes the connection.
I actually made a vpn.reg file that adds static routes to our internal network for every possible address doled out by the PIX. We run this regirstry key on all win2k builds for our consultants and they are able to browse the internet through their local connection while vpnd in, and still get to internal devices without going through the manual fix everytime. It does add quite a few static entries (we have 50 ip addresses in our vpn dhcp range) but it doesn't slow the clients down as far as anyone can tell.
Hope this helps
~rls
02-24-2003 02:21 PM
Thanks I thought about doing that but, I was hoping there would
be an easier way. Thanks alot I will give it a try.
02-25-2003 01:35 AM
enable split tunnelling
vpngroup groupname split-tunnel 80
This attribute will be pushed to the clients.
02-25-2003 09:54 AM
Split-tunnel will not work with microsofts pptp client. Only the Cisco IPSec client.
02-26-2003 08:50 AM
I tried the spilt tunnel using the 3.5 cisco client but it didn't work.
Is there something else that has to be done on the client ?
02-26-2003 09:00 AM
Actually, what happens is that the session drops after a few seconds
when I try to run explorer. The pix has 32 megs ram, is this a limitation ?
If not what else can I try.
Thanks again
02-26-2003 11:48 AM
What does your split-tunnel command look like? It should be -
vpngroup name split-tunnel acl
Where name is the name of the associated vpngroup, and acl is the access-list that permits traffic between your internal network and the vpn ip pool.
The 32megs is not a limitation, at least not in my experience with a PIX 515 running 6.2(1).
~rls
02-26-2003 11:59 AM
I have the same config.
02-26-2003 01:13 PM
I had another person try it from their machine and it works fine using the
split-tunnel.
But for some reason it's not working from my laptop. I guess it's one of those
mysteries that can be solved another time.
When do you think cisco will support split-tunneling for pptp on micosoft clients ?
Thanks guys
02-26-2003 01:30 PM
I don't think Cisco can address the split tunneling issue with microsoft's pptp client. They would have to rewrite the client to accept a routing change that passed all traffic destined for the private network throught the tunnel and everyting else through the normal default router.
Microsoft would need to change their software to accomodate this. Some other option besides "Use default gateway on remote network".
Let us know if you ever figure out why your laptop configuration isn't working with the split-tunnel.
~rls
03-03-2003 05:02 AM
Hi ,
This works for me as well .Did exactly what 0snaric mentioned .Thanks 0snaric .
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide