Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cisco VPN Client gateway problem 1

Status
Not open for further replies.
fingersmcgraw

fingersmcgraw

IS-IT--Management
Mar 14, 2004
3
GB
When I connect to a cisco vpn using the cisco client (version 4) and windows XP I can see the network fine but internet surfing and email (pop) stops working until I disconnect.

Below is a routes summary showing before and afterwards.
ROUTE MINUS VPN:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 87 34 4d 0e ...... SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.15 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.15 192.168.1.15 20
192.168.1.15 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.15 192.168.1.15 20
224.0.0.0 240.0.0.0 192.168.1.15 192.168.1.15 20
255.255.255.255 255.255.255.255 192.168.1.15 192.168.1.15 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None

ROUTE ONCE VPN CONNECTED:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 87 34 4d 0e ...... SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.15 21
0.0.0.0 0.0.0.0 192.168.254.151 192.168.254.151 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.15 192.168.1.15 20
192.168.1.0 255.255.255.0 192.168.254.151 192.168.254.151 1
192.168.1.15 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.254 255.255.255.255 192.168.1.15 192.168.1.15 1
192.168.1.255 255.255.255.255 192.168.1.15 192.168.1.15 20
192.168.254.0 255.255.255.0 192.168.254.151 192.168.254.151 10
192.168.254.151 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.254.255 255.255.255.255 192.168.254.151 192.168.254.151 10
217.37.189.138 255.255.255.255 192.168.1.254 192.168.1.15 1
224.0.0.0 240.0.0.0 192.168.1.15 192.168.1.15 20
224.0.0.0 240.0.0.0 192.168.254.151 192.168.254.151 10
255.255.255.255 255.255.255.255 192.168.1.15 192.168.1.15 1
255.255.255.255 255.255.255.255 192.168.254.151 192.168.254.151 1
Default Gateway: 192.168.254.151
===========================================================================
Persistent Routes:
None

The default gateway seems to get changed to my vpn issued dhcp address - what can I do to sort this out?
 
Sort by date Sort by votes
What are the IP's you are giving your VPN clients, something on the 192.168.254.x subnet?

You could setup split tunneling so internet traffic goes straight to the internet instead of going through the tunnel then trying to go back out.

My guess. without seeing configs for the device, is your VPN tunnel device is either a) not routing the VPN client subnets correctly b) VPN clients are not being NAT'd when they go to the internet (after traversing the tunnel)
 
Upvote 0 Downvote
Hi,
Sadly i'm lacking in the brain power to understand what you are asking me :(.

The VPN is issuing 192.168.254.x as a dhcp address - what part of the pix config contains the info you mentioned?

BTW - thanks for helping.
 
Upvote 0 Downvote
This is totally normal, and configured from the pix. It's called split tunnelling, and you have to specifically allow it in the pix config. Although there is a tick box in the vpn client for "allow split tunnelling", this doesn't actually do anything when you're connecting to a pix (it does when connecting to a cisco vpn concentrator), the pix config governs whether it's allowed or not.

Split tunneling is generally considered to be a security risk, as you have a tunnel into your corporate network which terminates behind the firewall so you effectively have a back door into the network. If you allow also allow traffic to the internet, and your laptop has trojan on it, an attacker is basically right onto your network.

I've not yet been given a good enough reason to allow split tunneling on any of the networks we look after

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Thanks for the info - can you suggest how i could do this without split tunnelling then please?
 
Upvote 0 Downvote
You can't. What you're trying to do IS split tunneling.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
666
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
194
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
545
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
740
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
350
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top