Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
4
Replies

PIX, VPN, PPTP/ Client can't browse external site while connected.

acaicedo
Level 1
Level 1

‎08-05-2003 03:42 PM - edited ‎02-21-2020 12:42 PM

Pix 506E, PPTP vpn.

While connected client can't browse external sites via IP or DNS. The addresses are good and working.

Client can connect and authenticate. Client can browse internal web servers via internal ip address. I tried to follow the Cisco examples, am I missing an access-list entry or Nat...

Thank you in advance,

AC

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎08-05-2003 04:06 PM

PPTP is a point-to-point protocol, in that once a PPTP tunnel is established ALL traffic goes over that tunnel. There is no concept of split tunnelling in PPTP similar to what you can acheive with IPSec. So, as I said, all traffic from your PC will go over the PPTP tunnel to the PIX.

In addition to this, the PIX will not route a packet back out the same interface it came in on, that includes traffic coming in over a PPTP tunnel and then going back out in the clear to the Internet. No way around it unfortunately.

If you want a VPN and concurrent Internet access, you're better off implementing IPSec on the PIX and doing split tunnelling.

0 Helpful

acaicedo
Level 1
Level 1
In response to gfullage

‎08-05-2003 04:14 PM

Thank you for your response. I was hoping that clients could use the network resources but also have access to the internet but from inside the network as if they are here in the office. I was hoping to avoid them gaining direct access to the internet while connected to our VPN. I might not be asking the right question?

AC

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to acaicedo

‎08-05-2003 05:13 PM

No, you're asking the right question, you just can't do it. When the PIX receives the packet over the PPTP tunnel destined for an Internet site, it has to re-route that packet back out teh same interface it came in on cause that's where it's default route is pointing. The PIX can't do this and the packet is dropped.

There's no way to have the packet go inside the PIX to an internal router then be re-routed back either, cause that would mean you'd have to set your default route on the PIX to that internal router, which would stop your inside users going to the Internet in much the same way.

You will hit this limitation whether you use IPsec or PPTP if you don't want them to do split tunnelling.

What a lot of companies do is put a VPN3000 concentrator or router in parallel with the PIX, and have your PPTP sessions terminate on that device, and if the packets are destined for the Internet they can be routed out through the PIX just like any other traffic. Your internal users just use the PIX for outbound Internet traffic as normal.

0 Helpful

acaicedo
Level 1
Level 1
In response to gfullage

‎08-06-2003 08:20 AM

Thank you. You have saved me hours and hours I'm sure.

0 Helpful
Customers Also Viewed These Support Documents