Cannot connect to internet while VPN client is connected.

Unanswered Question
Feb 16th, 2007

Now that I have my VPN client working correctly behind the PIX I have a new problem.

I cannot connect to the internet while connected to the remote VPN server. Is this because I'm 'pushing' the other networks DNS, WINS, and gateway to the clients when they connect?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.

You don't specify which PIX software version your running, so I am assuming it is version 6.3+ if this is the case then what your missing is known as 'split-tunneling' - by adding the following, you'll be able to connect to your PIX using the vpn client whilst also accessing the internet.

From a security point of view, I wouldn't allow this! I would rather allow access via a proxy within your secure LAN i.e. when your connected via the client to your LAN set your internet browser to point to a internal proxy ip address and hence all internet browseing traffic will traverse via the encrypted tunnel.

access-list 101 permit ip 10.0.0.0 255.255.255.0 172.16.200.0 255.255.255.224

nat (inside) 0 access-list 101

vpngroup split-tunnel 101

If your using PIX/ASA version 7.0+ then take a look here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Also, if you have not already done so, I would enable nat-traversal this will help if your vpn client connection encounters a NAT device along the path as NAT and IPSec don't go hand-in-hand!!

i.e.

isakmp nat-traversal

Hope this helps and please rate posts!

Jay

Mrkaprino Sun, 02/18/2007 - 09:40

I have the similar problem,there is no problem connecting directly from the internet, but when connecting behind PIX firewall, the user can only establish the remote VPN tunnel and can not access anything, even DNS.

I already check the VPN Acceslist for that Remote VPN connection and it looks good. Is it a nating issue or a firewall issue?

Thanks,

Kaprino

kaachary Mon, 02/19/2007 - 04:01

hi,

You have to enable "isakmp nat-t" on the headend pix and make sure "Enable Tranparent tunneling" is checked on the vpn client.

That shud do it !

HTH,

-Kanishka

Actions

This Discussion