We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


cisco PIX 501 VPN clients can't ping external net when connected

wotech asked
Medium Priority
Last Modified: 2008-03-10
hi all,
I have a Cisco PIX 501 at an office that users connect to when they're at home.  They are all using the Microsoft VPN client/software built-in to Windows XP Pro.
I went through the setup wizard on the PIX 501 to setup client VPN access; everything seemed to go smoothly.
When clients are connected via VPN to the PIX, everyone can access internal network resources (computer, printers, servers, etc.) just fine.  However, they can't browse the Internet or do anything externally.  After they disconnect the from VPN, Internet works fine again.

When I went through the setup wizard on the PIX, it asked for DNS servers to assign to the clients; I entered the same thing that I assign the computers inside the LAN--
DNS 1: (Win Small Biz Server 2003/domain controller)
DNS 2:  68.13.16.xxx (ISP's DNS server)

If you need more info on the setup, just let me know.  any help is appreciated!! Thanks!
Watch Question

hi there

I dont' have a pptp client to test this on but if you go into the properties of the pptp client -
click on the networking tab
click on TCP/IP and click properties
Click on advanced
Untick the  "Use default gateway on remote network" checkbox

This should send all your reachable traffic from your client out the internet connection and leave all tunnelled traffic over the tunnel.
Its kind of a "poor mans split-tunnelling"

On that note - if you have CCO - I would definetly recommend using Cisco VPN client over pptp anyday.  Not only for the IPSec security, but because you can deploy the client and have greater control over it on the pix - ie split tunnelling access-lists.  


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


works like a charm!

theoretically, though, shouldn't I be able to route traffic through the remote gateway?

<<theoretically, though, shouldn't I be able to route traffic through the remote gateway?

No - a PIX will not redirect traffic out an interface it originated from.  In this case the pptp traffic comes in on the outside interface - and if you wanted to go the internet, it would have to back out the outside interface.  The pix will not allow this.

Glad you got working!


cool, thx for the info

have some points!

welcome bro

thank you
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.