Re: pix 515 w/ 6.22 IOS

oevans · ‎02-24-2003

Looking for any ideas:

I have installed vpn access on the pix. When the client logs

in from from home using their cable connection they can access everything

on the LAN. However, their Internet access does not work through there

local connection.

To fix this I let them point there browzer to the inside proxy server on the Network.

My question is, is there a way to let the user access the Internet other than

through the proxy i.e from there local cable connection?

Thanks

0rsnaric · ‎02-24-2003

Using the windows dial-up vpn connection as the vpn client this is what we did -

Under the configuration of the dial-up connection uncheck the box "Use default gateway on remote network". This is found under the network tab, IP stack properties, advanced.

Then, and here's the trick, you need to create a static route on the client that points to your internal network and goes through the VPN tunnel. To do this manually, have the user connect, then run ipconfig /all or winipcfg to see what his ip address on the VPN adapter is. Then go to a dos prompt and type -

route add xx.xx.xx.xx mask yy.yy.yy.yy zz.zz.zz.zz

Where xx.xx.xx.xx is your internal network and yy.yy.yy.yy is the subnet mask. zz.zz.zz.zz is the vpn adapter ip address assigned by the pix when the user makes the connection.

I actually made a vpn.reg file that adds static routes to our internal network for every possible address doled out by the PIX. We run this regirstry key on all win2k builds for our consultants and they are able to browse the internet through their local connection while vpnd in, and still get to internal devices without going through the manual fix everytime. It does add quite a few static entries (we have 50 ip addresses in our vpn dhcp range) but it doesn't slow the clients down as far as anyone can tell.

Hope this helps

~rls

oevans · ‎02-24-2003

Thanks I thought about doing that but, I was hoping there would

be an easier way. Thanks alot I will give it a try.

cocoy · ‎02-25-2003

enable split tunnelling

vpngroup groupname split-tunnel 80

This attribute will be pushed to the clients.

0rsnaric · ‎02-25-2003

Split-tunnel will not work with microsofts pptp client. Only the Cisco IPSec client.

oevans · ‎02-26-2003

I tried the spilt tunnel using the 3.5 cisco client but it didn't work.

Is there something else that has to be done on the client ?

oevans · ‎02-26-2003

Actually, what happens is that the session drops after a few seconds

when I try to run explorer. The pix has 32 megs ram, is this a limitation ?

If not what else can I try.

Thanks again

0rsnaric · ‎02-26-2003

What does your split-tunnel command look like? It should be -

vpngroup name split-tunnel acl

Where name is the name of the associated vpngroup, and acl is the access-list that permits traffic between your internal network and the vpn ip pool.

The 32megs is not a limitation, at least not in my experience with a PIX 515 running 6.2(1).

~rls

oevans · ‎02-26-2003

I have the same config.

oevans · ‎02-26-2003

I had another person try it from their machine and it works fine using the

split-tunnel.

But for some reason it's not working from my laptop. I guess it's one of those

mysteries that can be solved another time.

When do you think cisco will support split-tunneling for pptp on micosoft clients ?

Thanks guys

0rsnaric · ‎02-26-2003

I don't think Cisco can address the split tunneling issue with microsoft's pptp client. They would have to rewrite the client to accept a routing change that passed all traffic destined for the private network throught the tunnel and everyting else through the normal default router.

Microsoft would need to change their software to accomodate this. Some other option besides "Use default gateway on remote network".

Let us know if you ever figure out why your laptop configuration isn't working with the split-tunnel.

~rls

r.kate · ‎03-03-2003

Hi ,

This works for me as well .Did exactly what 0snaric mentioned .Thanks 0snaric .

Raj