Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Default gateway for VPN Clients

Status
Not open for further replies.
bwoodley

bwoodley

IS-IT--Management
Apr 2, 2003
20
US
Currently our VPN clients recieve an adress on the 10.1.1.0 subnet, and our lan is on the 140.100.0.0 subnet. Our PIX connects both subnets just fine. The only problem is that when a pc connects to the VPN the ms vpn adapter establishes a new default gateway so that 0.0.0.0 goes to 10.1.1.1, this is fine for the 140 traffic but all the internet traffic goes here also. So if a VPN user connects to the VPN their internet traffic gets pushed down the VPN pipe... is there a way to define a route so only the 140 traffic goes down the VPN pipe instead of everything headed to the internet. So that vpn users can connect to the 140 but not have there internet disabled. I have tried adding a route to 140 using the 10.1.1.1. It works, but this is deleted when reconnecting and must be manually entered on the command line.

any suggestions?
 
Sort by date Sort by votes
Have you tried defining a split-tunnel? Sounds like this is what you want to do:
assuming that your vpn client pool is:
10.1.1.0/255.255.255.0

access-list vpn_split permit ip 140.100.0.0 255.255.0.0 10.1.1.0 255.255.255.0
vpngroup yourvpn split-tunnel vpn_split

more info:
After the Tunnel is up, User is Unable to Browse the Internet - Split Tunneling
The most common reason for this problem is that with the IPSec tunnel from theVPN Client to PIX, all the traffic is sent through the tunnel to the PIX firewall. The PIX functionality is such that it does not allow sending the traffic back to the interface where it was received, therefore the traffic destined to the Internet does not work. To fix this problem, use the split tunneling command. The idea behind this fix is that one only sends specific traffic through the tunnel and rest of the traffic goes directly to the Internet, not through the tunnel.

vpngroup vpn3000 split-tunnel 90
access-list 90 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 90 permit ip 172.16.0.0 255.255.0.0 10.1.2.0 255.255.255.0
Note: The vpngroup vpn3000 split-tunnel 90 command enables the split tunneling with access-list number 90. The access-list 90 command defines which traffic flows through the tunnel, the rest of which is denied at the end of the access-list. The access-list should be the same for denying NAT on PIX.

 
Upvote 0 Downvote
HI.

> ... the ms vpn adapter ...

"azstyx" is correct - split tunnel can solve the problem.
But you'll have to migrate from MS PPTP VPN , to Cisco IPSec.
This involves reconfiguration of the pix, and installing and configuring VPN client on remote workstations.

I recommend that you do the migration, and then disable and stop using PPTP because you'll get other benefits as well.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
272
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
335
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
85
WhosYourDiffie
WhosYourDiffie
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
223
XLNTech1
XLNTech1
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
266
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top