cannot access Internet when connected to VPN

Answered Question
Oct 28th, 2005
User Badges:

I've got a PIX 501 setup as a vpn remote server. I've been passing its DHCP options its getting from my ISP to its DHCP clients, including the default gateway. I inserted that default route statically, but it didn't help. What am I missing to get the VPN clients access to the Internet as well as to the VPN network without enabling split tunneling? Other than the IP address pool, I don't see where I can pass ip configuration parameters to VPN clients. I've attached my config.


Thank you,


Bill



Correct Answer by jackko about 11 years 9 months ago

to configure split tunneling, you'll need to create an acl and apply it to the vpngroup.


e.g.

access-list split permit ip


vpngroup test address-pool vpn

vpngroup test dns-server 68.87.75.194 68.87.64.196

vpngroup test default-domain hsd1.pa.comcast.net

vpngroup test split-tunnel split

vpngroup test idle-time 1800

vpngroup test password ********


alternatively, if you don't prefer to configure split tunneling. one workaround is to deploy a proxy server at the head office, all remote vpn client then point to the proxy for internet browsing after vpn established.


another point needs to be noticed is that the vpn client pool shall not be under the same ip scheme as the pix inside subnet.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
jackko Fri, 10/28/2005 - 07:38
User Badges:
  • Gold, 750 points or more

to configure split tunneling, you'll need to create an acl and apply it to the vpngroup.


e.g.

access-list split permit ip


vpngroup test address-pool vpn

vpngroup test dns-server 68.87.75.194 68.87.64.196

vpngroup test default-domain hsd1.pa.comcast.net

vpngroup test split-tunnel split

vpngroup test idle-time 1800

vpngroup test password ********


alternatively, if you don't prefer to configure split tunneling. one workaround is to deploy a proxy server at the head office, all remote vpn client then point to the proxy for internet browsing after vpn established.


another point needs to be noticed is that the vpn client pool shall not be under the same ip scheme as the pix inside subnet.

WILLIAM STEGMAN Tue, 11/01/2005 - 08:20
User Badges:

Thank you, the split tunneling works, but in regard to setting up a different subnet for the vpn clients, after trying that, clients are unable to make a connection. Only after changing the pool to be part of the inside interface, are they able to connect. It gets to securing communication channel, and then just disconnect. The new configuration is attached. Keep in mind that I'm forwarding isakmp, esp, and ah traffic from a business cable modem to the outside interface of my pix, 10.1.10.10







Actions

This Discussion