Routing problem on VPN client to PIX

[countrypaul]

Hi,

We have a PIX 515e connected to the internet and an internal network on 192.168.1.x. We have configured a VPN using pptp and a remote Windows XP machine using the native windows client. The remote machine obtain an ip address in the range 192.168.2.x.

When connected withthe VPN: On the client if under the Proporties of the connection in Windows Xp -> Network settings, TCP/IP setting Advanced we check the box "Use default gateway on remote netowrk" we can ping the machines on the internal side of the PIX but we cannot browse the internet. If the box is unchecked then we can browse the internet but we cannot ping the internal machines.

How do we resolve this and allow direct browsing of the internet as well as VPN access to our internal network?

 

[tonymullen]

tricky one. The way I got round it is to use a proxy server on the inside of the gateway. I then changed all our clients to use the vpn client to dial up so they always use our network to browse the web.

I'm not sure how else you'd manage it unless you route through a different pix/router for internet traffic.

 

[countrypaul]

It may be obvious but I forgot to mention that the remote PC is on the internet, and the VPN is over the internet.

We have found that if the ip address we give the client is within the 192.168.1.x subnet (ie. the internal one) and the use default gateway option is not checked then all works fine. However having the VPN client on the same is reported to give other problems.

It seems as though we need to give an explicit route to 192.168.1.x but only when the vpn is present.

 

[tomski73]

I am having exactly same problem! I cannot access the internet if gateway is specified and I can not access any LAN resources if it is not. SOMEONE HELP US!!!

 

[Narizz28]

The reason you cannot browse the network when the gateway option in unchecked and the IP address is in a different range is because by being off range, it's going to send any traffic bound for the 192.168.1.x network to the specified default gateway (probably the cable/dsl next hop). With the remote gateway being used, packets will try and come in the firewall via the tunnel on the public interface, and then leave via that interface bound for the firewall's default route. PIX won't send packets out the interface they came in on, it'll just drop them. By putting the remote PC's on the internal range, the PC will use the tunnel for any in range addresses and it's own default gateway for out of range addresses.

That said, I don't see a scenario to make this work without terminating the tunnels into a different device like a concentrator or router.

 

[rockjockb]

I am having a similar problem. When my VPN clients connect to a pix 501, using the Cisco VPN client, they get a LAN IP, but the gateway they get is the same IP. For example:
IP Address 192.168.1.200
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.200

I cannot figure out how to change this at the command line or in the PDM. Any ideas would be greatly appreciated.

TIA

 

[countrypaul]

I have managed to resolve this problem to a certain extent. If split tunneling is enable on the PIX then the users can browse both the internet and the internal network at the same time. This does cause a security weakness in that the entire area protected by the firewall is then relying on the client for the same protection as the firewall. With a number of clients obviously the number of possible vulnerable points of entry onto the internal network increases. The solution was to use a proxy server on the inside (which we already have) to allow web access etc. to outside. We have not decided which solution we will use long term, it may paritally depend on how easily our users can manage with setting and unsetting the proxy server depending on connection (and whether the automatic solution works satisfactorily).

The command for enabling the split tunneling was:
vpngroup vpngp3 split-tunnel 101