Cisco VPN client, PIX and proxy

Answered Question
Jul 18th, 2007

Hi.I have the following problem in my company. We have users that are going through a proxy server located on the DMZ side of a PIX to the internet(allowed through the DMZ ACL to the outside etc.).That works great.

The problem arises when they use a Cisco VPN client to connect to another company and they cannot access the Internet anymore but can work over VPN on a remote site(Cisco client has been allowed through the PIX). Everything returns to normal when they don't use the VPN client anymore.

Any ideas why this would happen?

I have this problem too.
0 votes
Correct Answer by mattiaseriksson about 9 years 6 months ago

Without the proxy either you browse the internet over the vpn connection, or split-tunnel is configured and you exit locally. In case split-tunnel is configured, the proxy-server ip address could be overlapping with the remote protected network.

Fortunately it is easy for you to find out how the vpn is configured, just check the route details tab of the vpn client's statistics.

Check the local pc routing table will also help you troubleshoot this issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mattiaseriksson Wed, 07/18/2007 - 02:44

I have an idea. The default behaviour of the Cisco VPN Client is to tunnel everything to the remote site. If your users only want to tunnel some traffic and access your own network at the same time, they would have to configure split-tunneling at the remote vpn site. Not all companies allow that though, you have to find out.

IgorHamzic Wed, 07/18/2007 - 03:06

And one more thing that I just noticed is that if you disable the proxy in the Internet browser you can browse the Internet and do the work over VPN.Did on my PC though as few of us can access the Internet without the use of a proxy.

Don't know if it's connected to the split tunnel story though.

Correct Answer
mattiaseriksson Wed, 07/18/2007 - 03:29

Without the proxy either you browse the internet over the vpn connection, or split-tunnel is configured and you exit locally. In case split-tunnel is configured, the proxy-server ip address could be overlapping with the remote protected network.

Fortunately it is easy for you to find out how the vpn is configured, just check the route details tab of the vpn client's statistics.

Check the local pc routing table will also help you troubleshoot this issue.

Actions

This Discussion