LAN & Internet for VPN client 1

[epronto]

Hi there,
First of all, may I thank themut for his invaluable help on smtp traffic stops.
Now, the issue is with VPN client v4.6 which can't browse Internet while connected by VPN. The LAN is accessible fine.
The VPN relevant setup on PIX 506e, 6.3.3 goes like this:

access-list VPN permit ip 192.168.1.0 255.255.254.0 10.10.10.0 255.255.255.0
nat (inside) 0 access-list VPN

ip local pool VPNippool 10.10.10.1-10.10.10.254

aaa-server IAS protocol radius
aaa-server IAS (inside) host 192.168.1.5 ****** timeout 5

sysopt connection permit-ipsec

crypto ipsec transform-set VPN_SET esp-des esp-md5-hmac
crypto dynamic-map VPN_dynmap 10 set transform-set VPN_SET
crypto map VPN_map 10 ipsec-isakmp dynamic VPN_dynmap
crypto map VPN_map client authentication IAS
crypto map VPN_map interface outside

isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

vpngroup VPNclient address-pool VPNippool
vpngroup VPNclient dns-server 192.168.1.5 192.168.1.1
vpngroup VPNclient wins-server 192.168.1.5 192.168.1.1
vpngroup VPNclient default-domain domain.com
vpngroup VPNclient idle-time 1800
vpngroup VPNclient password ********

I found on the forum and tried the following

isakmp identity address
isakmp client configuration address-pool local VPNippool outside
isakmp nat-traversal 10

It didn't make any difference.

I also tried

access-list VPNsplit permit ip any any
vpngroup VPNclient split-tunnel VPNsplit

now the Internet was fine but I could not ping LAN resources.

I need to have them both.
Any feedback on this one will be welcome.

 

[epronto]

I found the problem and it was in

access-list VPNsplit permit ip any any

I changed it for

access-list VPNsplit permit ip 192.168.1.0 255.255.254.0 10.10.10.0 255.255.255.0

and now it works fine.
On security side, though, doesn't tunnel splitting compromise security by allowing client's unsecured Internet traffic into the LAN through existing VPN?

 

[LloydSev]

correct, split tunneling is a major security problem.

Computer/Network Technician
CCNA

 

[epronto]

thanks for answering my post.
So what could be a viable solution for VPN client to have both LAN and Internet access (apart from accessing Remote Desktop on LAN).
I am actually moving clients from Microsoft's VPN clients connecting with PPTP (PIX configured with static PAT into internal Windows RRAS) to a supposedly more secure IPsec connection, but it has its disadvantages...

 

[LloydSev]

yes IPSec is more secure.

What disadvantages are you noticing? The entire reason we are using PPTP is due to our ability to use IAS for AD authentication.

I believe L2TP is a cross between IPSec and PPTP and the windows client can support L2TP.

Generally most VPN configurations do not allow internet access. And the only way to securely do it, as you said, would be via a remote connection to a client on the internal LAN.

Computer/Network Technician
CCNA

 

[br0ck]

If you add this line to your cofig
you can auth the IPSEC Client to IAS

crypto map mymap client authentication AAAGROUP

mymap needs to match your mapname in your config
and the AAAGROUP needs to match your aaa-server config
this will force a popup for the user to add in the NT username and password

 

[epronto]

br0ck,
I guess your commentary was for LloydSev since he mentioned AD authentication as the reason to use PPTP.
As you can seen from my original post I have the line it works fine.
thanks for your feedback.