Looking for any ideas:
I have installed vpn access on the pix. When the client logs
in from from home using their cable connection they can access everything
on the LAN. However, their Internet access does not work through there
To fix this I let them point there browzer to the inside proxy server on the Network.
My question is, is there a way to let the user access the Internet other than
through the proxy i.e from there local cable connection?
Using the windows dial-up vpn connection as the vpn client this is what we did -
Under the configuration of the dial-up connection uncheck the box "Use default gateway on remote network". This is found under the network tab, IP stack properties, advanced.
Then, and here's the trick, you need to create a static route on the client that points to your internal network and goes through the VPN tunnel. To do this manually, have the user connect, then run ipconfig /all or winipcfg to see what his ip address on the VPN adapter is. Then go to a dos prompt and type -
route add xx.xx.xx.xx mask yy.yy.yy.yy zz.zz.zz.zz
Where xx.xx.xx.xx is your internal network and yy.yy.yy.yy is the subnet mask. zz.zz.zz.zz is the vpn adapter ip address assigned by the pix when the user makes the connection.
I actually made a vpn.reg file that adds static routes to our internal network for every possible address doled out by the PIX. We run this regirstry key on all win2k builds for our consultants and they are able to browse the internet through their local connection while vpnd in, and still get to internal devices without going through the manual fix everytime. It does add quite a few static entries (we have 50 ip addresses in our vpn dhcp range) but it doesn't slow the clients down as far as anyone can tell.
Hope this helps
Actually, what happens is that the session drops after a few seconds
when I try to run explorer. The pix has 32 megs ram, is this a limitation ?
If not what else can I try.
What does your split-tunnel command look like? It should be -
vpngroup name split-tunnel acl
Where name is the name of the associated vpngroup, and acl is the access-list that permits traffic between your internal network and the vpn ip pool.
The 32megs is not a limitation, at least not in my experience with a PIX 515 running 6.2(1).
I had another person try it from their machine and it works fine using the
But for some reason it's not working from my laptop. I guess it's one of those
mysteries that can be solved another time.
When do you think cisco will support split-tunneling for pptp on micosoft clients ?
I don't think Cisco can address the split tunneling issue with microsoft's pptp client. They would have to rewrite the client to accept a routing change that passed all traffic destined for the private network throught the tunnel and everyting else through the normal default router.
Microsoft would need to change their software to accomodate this. Some other option besides "Use default gateway on remote network".
Let us know if you ever figure out why your laptop configuration isn't working with the split-tunnel.