VPN, CANT SURF INTERNET SAME TIME, dont want split tunnel. PROXY??? 3

[etaketa]

Hi there,

I have VPN clients connected to the office PIX and they access some sensitive information on one of our servers but at the same time they have to be able to browse the Web. How can i allow them browse the WEB without split tunneling so their connection to the WEB to be encrypted?
Can you help me please? What about a proxy server? What proxy servers for windows do you reccomend besides ISA?

Thanks

 

[aquias]

Without split tunneling? The only other way I know to do this is to allow them access to the web through the PIX, while connected to the VPN (IE. They connect to the VPN and you create an access list to allow VPN users out of your network).

They'll have slower than normal web access and create an additional load on the PIX/network but it will work. This does compromise security a bit on the VPN but it is a lot more secure than split tunneling.

There are several ways to do this and I've toyed with posting my thoughts on this, but it's been about a year since my last tinkering with Cisco so there are probably better people to offer the "how-to's" than myself.

 

[etaketa]

I figured out how to have them surf through the pix. What i did was setup a program called SPOON PROXY on another computer behind the pix and set their vpn browser settings to point to that computer. Im all set now. The PIX 506 doesnt support hair pinning which is packets going out the same interface they came in on, so this is my only alternative.

 

[Spirit]

You'll probably find that in advanced settings of your IP protocol is set to "Use Default Gateway on remote network" which will prevent you from surfing the net while connected to the VPN.

Iain

 

[etaketa]

No I want to use the default gateway on the remote connection. I dont want to create a split connection. I want all end users to surf the net thorugh the pix. I was able to do this by using a proxy server and pointing the vpn users Internet explorer settings to point to this proxy.

What I setup was this:

END USER----->VPN------>PIX----NETWORK--PROXY--INTERNET-->

NOT

<---INTERNET----END USER---->VPN--->PIX----->NETWORK

 

[gridvine]

VPN GURU CHALLENGE is in order here. I have the same exact issue and have struggled with it for a year. IF I add a static route on the VPN server that captures 0.0.0.0/0.0.0.0 and sends to our hardware based Internet router gateway address, Internet access works for a while but then the VPN server refuses connections.

ENDUSER.VPN--> VPN.Server--> Internal.Router--> INTERNET-->

Windows 2000 Server with latest SP4 post.

ISP subnet = x.x.x.64-.70
DSL Modem = x.x.x.65
Firewall = x.x.x.66/255/255.255.248 (.64-.70)

Intranet Network = 192.168.3.x
Internet Gateway = 192.168.3.1
Intranet DNS = 192.168.3.20
--------------------------------
VPN Intranet Interface : 192.168.3.30, Mask 255.255.255.0 DNS=.20, no gateway
VPN External Interface : x.x.x.70, Mask 255.255.255.248, gateway .65, ISP DNS, & (filtered)

VPN Static IP Pool : 192.168.3.200-.210
VPN Internal Interface: 192.168.3.200

Static routes: none that don't cause VPN to eventually die.

* Adding a route to 0.0.0.0/0.0.0.0 for 192.168.3.1 works for a while but if the VPN server is rebooted or another vpn client attaches, the VPN server stops responding even after the new static route is removed. In order to restore functionality, I must uninstall routing followed by uninstalling each network interface and then reinstall everything before it will accept connections again.

I've read tons of posts with various suggestions. So far, none of them work reliably. Many have given up and say there is no solution without upgrading to Win2003 Server or Windows ISA 2003. Many don't have budget for that for now. We have a sister office that uses a single interface without issues, however, I require a multihomed VPN server.

My ultimate goal: To get my multihomed Windows 2000 VPN Server to allow VPN clients Internet access via the corporate Internet gateway (no split tunneling).

 

[etaketa]

I finally figured it out. I read up on the pix and the pix506 does not support Hair Pinning, that means data packets coming in one interface and going out the same interface again.

So in order for my vpn users to surf the internet at the same time what i did was use a small program called spoon proxy and i set that up on one of the computers here on the network 10.0.0.5, -- then in internet explorer properties i go to the connections tab and set the vpn connection to use a proxy of 10.0.0.5 and now it works fine.

SEE it works like this.

VPN USER----INTERNET----PIX OUTSIDE INTERFACE---PROXY 10.0.0.5 --->Inside Interface---->Outside Interface

FROM CISCO.COM
"Redirecting traffic out the same interface that received it is sometimes called hairpinning. Some devices, such as the PIX Firewall, do not support hairpinning.

 

[gridvine]

I separate Internet access firewalling from VPN firewalling so I don't think my packets are going out and in the same interface. We have a separate firewall and IP address for the external interface on my VPN Server. Once the VPN client establishes a connection with the VPN Server, it should be a full member of our Intranet using an IP of 192.168.3.205 for example. And just as any other client computer, it should use our Internet gateway of 192.168.3.1.

 

[etaketa]

Can you just try it. Install spoon proxy on one of your computers, then point the vpn users internet explorer proxy settings for the vpn connection to point to that Proxy server.. then let me know if it works.. do you need a link to download spoon proxy? here it is... its worth a try. i bet it works.

http://www.pi-soft.com/spoonproxy/index.shtml

 

[gridvine]

I don't doubt that it will work however, it does not provide the solution within the Microsoft framework. I know there is a straight forward solution to this very common multi-homed VPN server configuration.

 

[etaketa]

then setup ISA PROXY server (thats within the microsoft framework)

 

[gridvine]

Why go through the effort when this configuration should work ?

 

[etaketa]

it wont. because your trying to do hairpinning. do a search on google for hairpinning and pix.

the vpn users are coming in from the outside interface and then they want to use the internet and go back right out thrhough the same outside interface. the pix wont let it, except for the new version 7.0 Pix OS which only comes with the latest Higher end pix's, not the 501 or 506

 

[vspuranik]

I am at office conneting to my oniste server/intranet pages through VPN.
But when i log in to VPN I am not able to access the internet though IE browser.
I tryed to log in to VPN in Firefox and then in netscape with the onsite server proxy IP i can access the internet.But if i try accesing the net through IE with oniste proxy IP its not working.
Plz help me to solve this IE issue.

 

[gridvine]

etaketa: If you look at my post you will see that I am NOT using the same interface and therefore hairpinning can not be the issues.