[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco VPN blocks Internet and LAN access

Posted on 2006-05-15
12
Medium Priority
?
3,892 Views
Last Modified: 2008-01-09
Hi,
I use Cisco VPN client to connect to a remote system from my corporate LAN.

In My LAN I get a local IP address (10.40.a.b); the whole LAN is natted outside with a single IP addess (194.x.y.z).

After I connect to VPN using Cisco client 4.6 I lose Internet and LAN access due to remote system restictions.

Is it possible to change routing table with route command and/or any opther network utility to gain again Internet and LAN access?
There are only a few remote addresses I need to reach by VPN, so I would like to redirect all the othe network traffic to my "regular" LAN connection.

Thanks
Claudio
0
Comment
Question by:claud_io
  • 5
  • 4
  • 3
12 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 1050 total points
ID: 16686246
If you are using the Cisco VPN client, the answer to your question is *No*. The change has to be done on the VPN server.
0
 
LVL 12

Assisted Solution

by:r_naren22atyahoo
r_naren22atyahoo earned 450 total points
ID: 16686866
I am not sure, but i use this batch file to create the manual routes and gateways.
i use this after connecting to a PPTP tunnel.

-----------
@echo off

setlocal

set ip=
set foundPPP=

for /f "delims=" %%a in ('ipconfig /all') do call :PROCESS "%%a"

if "%ip%"=="" echo Can't find PPTP IP address.&goto :EOF

route add 10.21.1.0 mask 255.255.255.0 %ip%
route add 10.22.1.0 mask 255.255.255.0 %ip%
route add 10.60.1.0 mask 255.255.255.0 %ip%
route add 0.0.0.0 mask 0.0.0.0 %ip% metric 30

goto :EOF

:PROCESS

set Line=%~1

if "%Line%"=="" goto :EOF

if "%Line:~0,3%"=="PPP" set foundPPP=Y&goto :EOF

if "%foundPPP%"=="" goto :EOF

for /f "tokens=2 delims=:" %%a in ('echo " %Line% " ^| findstr /c:"IP Address"') do if not "%%a"=="" call :SETIP %%a

goto :EOF

:SETIP

set ip=%1
-------------------
This is a batch file, run this after the VPN conenction

or
just type this at command prompt

route add 10.X.X.0 mask 255.255.255.0 10.A.A.A
route add 0.0.0.0 mask 0.0.0.0 10.A.A.A metric 30
Where 10.X.X.0 is your office network address
10.A.A.A is the ip address given to you after connecting to the VPN

regards
Naren
0
 
LVL 9

Assisted Solution

by:stressedout2004
stressedout2004 earned 1050 total points
ID: 16687226
For PPTP tunnel it is possible, but not when using Cisco VPN client (as far as I know). It is a centralized pushed policy type of connection. Everything is controlled by the VPN server. The ability to surf the internet and browse local LAN is controlled by the split tunneling policy which is configured on the VPN server. You have to talk to the administrator of your VPN server. However, you can try what Naren is suggesting, it doesn't hurt.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:claud_io
ID: 16706557
The IP given to me after connecting to the VPN is of the form 172.A.A.A so I tried to add

route add 10.X.X.0 mask 255.255.255.0 172.A.A.A
route add 0.0.0.0 mask 0.0.0.0 172.A.A.A metric 30

but after that I'm no able to to reach the remote system and also not able to surf the web

0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16706599
This is wrong

route add 10.X.X.0 mask 255.255.255.0 172.A.A.A
route add 0.0.0.0 mask 0.0.0.0 172.A.A.A metric 30

In place of 10.X.X.0 you have to put your office network address
and subnet mask.
You have to know you office network address and subnet mask!!!!


to revert the changes
you have to use
route delete 10.X.X.0 mask 255.255.255.0 172.A.A.A
route delete 0.0.0.0 mask 0.0.0.0 172.A.A.A metric 30

regards
Naren

0
 

Author Comment

by:claud_io
ID: 16706708
Yes, I did it ....

the real command was

route add 10.40.41.0 mask 255.255.255.0 172.A.A.A

since my IP is 10.40.41.113 ....

There is already present a similar route for 10.40.0.0 with mask 255.255.0.0 and the same gateway 172.A.A.A; and another for 10.40.0.0 with mask 255.255.0.0 and my LAN IP as gateway; both have metric is 1.

Also your 2nd command corresponds to a route already present but with metric 1 instead of 30.

0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16707066
172.A.A.A >>>is this the address given by VPN server????
then what is 10.40.41.113, i guess this is the address given by vpn server
if thats the case
route add 10.40.0.0 mask 255.255.0.0 10.40.41.113
route add 0.0.0.0 mask 0.0.0.0 10.40.41.113 metric 30

if the first line is already create then no need to add.
i know second will be there, but we have to change the metric more than i.e 30

there will be also another route like
route add 0.0.0.0 mask 0.0.0.0 X.X.X.X metric 20 i guess

if the metric is more it is given less preference.... that way
your default gateway will be your nornal internet gateway...
but the VPN traffic will be routed to your VPN ip Address.

before all the traffice was directed to VPN ip address as its metric is 1 i.e highest.

let me know if you didnt understand any part

regards
Naren


0
 

Author Comment

by:claud_io
ID: 16707365
172.A.A.A is this the address given to me by the VPN server
10.40.41.113 is my local IP inside my LAN
VPN server IP is 85.V.V.V

0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16711446
guys, route modification doesn't work with Cisco VPN clients. I have tried the same solution before to no avail. It just
doesn't work like it does for PPTP clients. It's by design.  It is something that needs to be done on the VPN server itself, like I said centralized policy pushed.  Claud, you need to talk to the administrator of the VPN server and request for internet access or atleast access to your own local LAN. That is the only way.
0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16713711
may be you just need to add just this line, as the other route is already added by VPN policy.
route add 0.0.0.0 mask 0.0.0.0 172.A.A.A metric 30
0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16794485
Thanks for the points, how did it go??
0
 

Author Comment

by:claud_io
ID: 16797315
Nothing to unfortunately .... I gave up trying ... thanks anyway for your suggestions ...
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month19 days, 1 hour left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question