sitemanager
IS-IT--Management
Before I go and do a bunch of work, I figured I'd pass along my scenario to see if anyone can provide some insight to the problem.
This is a little wordy, but I tried to explain everything as succinctly as I could.
Tbe problem is that a remote user, connecting via Cisco CPN to the office, is able to browse the Internet when not connected via VPN, but after establishing a VPN connection the user can no longer browse the Internet. There's a couple of quirks in this, too. The remote user just moved to a new office location, and at the old location, everything was fine.
Here's the equipment involved:
* main office - Cisco PIX 515
* Remote office - using the host's LinkSys.
* Remote office - using WebRamp into LinkSys.
* Remote user have Windows 98.
At the old location, there was no firewall. (They're insane, but I can only plead with them.)
The PIX is configured for split-tunneling and the clients have the "Use local LAN" option checked.
So, they moved to this new place and immediately had issues because the LinkSys LAN had the same private IP subnet as the PIX in the main office, so routing wasn't working. I worked around that by having them plug in a WebRamp firewall they happened to have. The WebRamp allowed them to create a different LAN IP of 192.168.123.0 so the routing works now.
When they use the VPN connection, they can access all the systems in the main office, but they cannot browse the Internet. Well, they can browse if they use IP addresses instead of URL's.
When one user was connected via VPN, I had him do a "telnet <external DNS> 53" and he made a connection. (Windows 98 doesn't have NSLOOKUP.) Also, before the VPN connection, he could ping " but not after establishing the connection. (I did a test from the PDM on the PIX, and all ping responses on either interface were dropped as denied.)
So, names cannot be resolved with the VPN, but they can without. And, the VPN worked fine at the other place, but there was no firewall.
I checked the PDM log and I didn't see any traffic listed regarding DNS/53. I had him check the WebRamp log, and there didn't seem to be anything bad, and I even had him had a rule to allow all DNS traffic both ways, just in case. I don't have access to the LinkSys.
I know it's a bit complicated a setup.
Does anyone have any thoughts on this??
I think I'll have to try changing the main office LAN IP and get rid of the WebRamp, but it still may not work, because it could be the LinkSys. (I have had quirky problems with two different versions of LinkSys BFRS firewalls.)
Thanks!!
Rob Ingenthron
This is a little wordy, but I tried to explain everything as succinctly as I could.
Tbe problem is that a remote user, connecting via Cisco CPN to the office, is able to browse the Internet when not connected via VPN, but after establishing a VPN connection the user can no longer browse the Internet. There's a couple of quirks in this, too. The remote user just moved to a new office location, and at the old location, everything was fine.
Here's the equipment involved:
* main office - Cisco PIX 515
* Remote office - using the host's LinkSys.
* Remote office - using WebRamp into LinkSys.
* Remote user have Windows 98.
At the old location, there was no firewall. (They're insane, but I can only plead with them.)
The PIX is configured for split-tunneling and the clients have the "Use local LAN" option checked.
So, they moved to this new place and immediately had issues because the LinkSys LAN had the same private IP subnet as the PIX in the main office, so routing wasn't working. I worked around that by having them plug in a WebRamp firewall they happened to have. The WebRamp allowed them to create a different LAN IP of 192.168.123.0 so the routing works now.
When they use the VPN connection, they can access all the systems in the main office, but they cannot browse the Internet. Well, they can browse if they use IP addresses instead of URL's.
When one user was connected via VPN, I had him do a "telnet <external DNS> 53" and he made a connection. (Windows 98 doesn't have NSLOOKUP.) Also, before the VPN connection, he could ping " but not after establishing the connection. (I did a test from the PDM on the PIX, and all ping responses on either interface were dropped as denied.)
So, names cannot be resolved with the VPN, but they can without. And, the VPN worked fine at the other place, but there was no firewall.
I checked the PDM log and I didn't see any traffic listed regarding DNS/53. I had him check the WebRamp log, and there didn't seem to be anything bad, and I even had him had a rule to allow all DNS traffic both ways, just in case. I don't have access to the LinkSys.
I know it's a bit complicated a setup.
Does anyone have any thoughts on this??
I think I'll have to try changing the main office LAN IP and get rid of the WebRamp, but it still may not work, because it could be the LinkSys. (I have had quirky problems with two different versions of LinkSys BFRS firewalls.)
Thanks!!
Rob Ingenthron
