Can Cisco VPN client browse internet through VPN tunnel?

[deeze6]

Hello All,

I have a PIX firewall configured to allow Cisco VPN clients to connect.

The problem is when the VPN client has a tunnel established it cannot ping, telnet or connect to any sites on the internet. Also DNS lookups to an internet DNS server are not replying.

Is the PIX configured to deny internet access to the VPN clients? Is there a way to allow VPN clients to browse web pages while connected without using split tunneling?

Thanks!

 

[308win]

The pix can not route traffic back out the interface it comes in on as you have discovered. You can give them access through a Proxy Server.

 

[bytehd]

IE another route back out

http://www.insyncva.com

 

[chicocouk]

No, not another route back out. It's two seperate connections.

You connect to the proxy server. The proxy server then connects to the internet and retrieves the data. It then returns data to you. It's not a single connection being re-routed around. One initiates from outside to the proxy server on the inside. The other initiates from the inside (the proxy server) to whatever hosts on the internet.

If you just add route statements, nothing will happen, as 308win explained on a pix you can't reroute traffic back out the interface it arrived.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[bytehd]

in that case
gotcha

http://www.insyncva.com

 

[Rookcr]

I am no expert on this but I set up a Split-tunnel ACL to allow VPN'd clients to browse the internet. Why would this not work for the same situation?

Rook

 

[lgarner]

So did I, but the question specifically included "without split tunnelling."

Personally, I don't consider the risk of split tunnelling to be greater than having users infect their computers via the internet and then connecting to the corporate LAN.

The Cisco client does include a basic software firewall, but enforcing its use requires the VPN Concentrator.

 

[Rookcr]

My Fault. I did not read the split tunneling on the end. We have a small VPN group.

 

[chicocouk]

Split-tunnelling *IS* a greater risk than users infecting their machine and then connecting to the vpn. With split-tunnelling enabled an attacker could have a remote shell open on your vpn client user's machine, they open a connection to your lan, and the attacker can then tunnel onto your network and do damage in real-time while the vpn is up. Whereas with split-tunnelling turned off, this is not possible. So an attacker could theoretically root around on your network with human intelligence in a way a worm or virus couldn't. Imagine the scenario where a user is on always on broadband at home, has a trojan on their machine which allows an attacker to connect to them, and from there the attacker can open a vpn onto your network. How is that not a problem? With split tunnelling off, when the vpn is fired up the attacker is disconnected. Job done. They can't get onto your network.

It may also depend what the vpn users do when they dial in, and what rights they then have. An obvious example, say it's the MD or the accounts department dialling in to check the financials, perhaps even pay some bills electronically. I've yet to hear a good argument to convince me that split-tunneling is worth the exposure. What's the point of buying a cisco firewall if you then open a backdoor through it, and trust the user turns on a software firewall on their machine? Also, with a trojan the connection could originate from the inside out, and so bypass a software firewall.

In terms of it being more of a risk from virus/worm propagation though, the problem is the same as lgarner says, whether split-tunnelling is on or not.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[PeNT]

Hi, Guys I have a similar problem.

We just bought a new PIX 515 to replace the 2611 IOS router.

We have beeing using the Win Server 2003 VPN to connect but i have secutity concerns with it. I want discard that and stick with straight IPSEC so i suggested getting the 515

I have beeing playing around with the 515 last few days.

I can browse the internet using split tunneling from a remote vpn client.

The problem is that we connect to various customer sites via ssh etc . They require static ips so that we can connect which is set to our global ip address.

With the WInXp Vpn it works fine, it seems like we are originating packets from the internal network.


With the PIX as you mentioned it cannot send packets out through the same interface it came in .


I am not worried about web access, i need ssh,telnet access.


Do you guys have a suggestion on how i can do this ? Maybe modify the incoming packets and send them back out ??


thanks

 

[bytehd]

all the packet needs is a route there..

George Walkey
Senior Geek in charge

http://www.insyncva.com

 

[PeNT]

What do you mean ?

thanks

 

[lgarner]

Have the VPN users connect to an internal host, and launch the ssh or telnet sessions from there.

 

[PeNT]

Yeah.. That thought crossed my mind, but it becomes t cumbersome for the users.

We basically provide support for various telecos.. and the less connections you have to make the better.

I am just trying to figure out a transparent solution just like whenn we had the win XP vpn.

 

[NetworkGuy101]

You can always use the Windows VPN Client to connect. Then you can select not to use the VPN Tunnel as the gateway causing any traffic not for the VPN to go out the clients gateway.