PIX 506E / Cisco VPN Client: Cant access internet+network at same time 3

[etaketa]

I am able to connect to a cisco pix 506E using the cisco vpn client 4.05(c). I am able to access network shares and resources O.K., but i am not able to access the interet while I am connected.

Does anyone know how to make it so I am able to access the internet while connected to the VPN?

 

[LloydSev]

As in the VPN forum, this is what I posted:


You must enable split tunneling on the PIX.

Add this line to your vpngroup..

vpngroup <group> split-tunnel <ACLName>

Then add this ACL

access-list <ACLName> permit ip any <VPNPool Network> <netmask>

Computer/Network Technician
CCNA

 

[cmptrnerd]

I was told in my training that this was not allowed due to security reasons. The only way around this for me has been terminal services. Most of the users I have with VPN's then use Citrix or Terminal services to do their work. When they create a Citrix or terminal session they can use the internet in that session.

Only other way that works is a site to site VPN connection.


Mark
cmptrnerd@core.com

 

[LloydSev]

It's allowed.. it's a feature of the PIX.

But as you mentioned, it is very insecure. In theory, any virus or malware has full secure access to your internal network. Which undermines the whole purpose of using IPSec over say PPTP or L2TP in the first place.

Computer/Network Technician
CCNA

 

[etaketa]

lloyd, im a newbie at this..my vpn pool name is "vpn_ip_pool"

im accessin the pix through the PDM, so I can click on the tools menu and bring up the command line interface.

what exactly should I type in the command line prompt?

should i just type what you said into the command line prompt verbatim?

vpngroup <group> split-tunnel <ACLName>

Then add this ACL

access-list <ACLName> permit ip any <VPNPool Network> <netmask

 

[LloydSev]

no.. the <> variables are meant to be changed..

so use these..

vpngroup vpn_ip_pool split-tunnel splittunnel
access-list splittunnel permit ip any <VPNPool Network> <netmask>

Replace <VPNPool Network> with the network address of the network that the pool exists on..

so if you use 193.100.1.1-193.100.1.15 for the VPN pool..

then use 193.100.1.0 as the network address, and 255.255.255.0 as the netmask.

so that would make the ACL this..

access-list splittunnel permit ip any 193.100.1.0 255.255.255.0

Computer/Network Technician
CCNA

 

[etaketa]

Lloyd my vpn pool ip range is 10.0.0.240 - 10.0.0.254 so what should i put for the network address?

 

[etaketa]

I was able to get the internet going using the graphical interface PDM (pix device manager).. i clicked on THE VPN TAB, then CISCO VPN CLIENT, then EDIT FOR THE GROUP, then clicked on MANAGE SPLIT TUNNEL BUTTON, then i added my network 10.0.0.0.. now i can get to the internet.

BY the way does anyone know how to remove access list statements using the command line interface?

 

[lgarner]

Prefix them with "no", such as "no access-list inbound ..."

 

[Phantom309]

I've taken quite a bit of information from this forum, I'd like to give something back.

I'm wrapping up my B.S.I.T degree and graduate next month but to graduate I had to do a Capstone and I chose to do mine on the Configuration and Administration of the PIX 501 Series Firewall.

I created a number of short videos and labs all free and downloadable from the Internet.

http://www.clkcomputer.com/capstone/index.html

Thanks for all you help and enjoy the vids.