Cisco VPN and LAN/Internet access

Posted on 2006-06-07
Last Modified: 2010-04-12
I use Cisco VPN client to connect to a remote system from my corporate LAN.
My PC has Windows XP SP2.

Cisco server blocks access to my LAN and internet so I uses a virtual machine only dedicated to the VPN so I can access to LAN and internet from my physical PC and VPN from the virtual machine.

Since I spend more time using the VPN, I'd like to invert the situation, have the VPN on the physical PC and LAN and internet on the virtual machine: I know this isn't possible, but my question is this: in case I add a second NIC, is it possible to use from physical PC one NIC decicated to the VPN and from the virtual machine the other NIC dedicated to LAN and internet access?
If so, is there any particular configuaration to set?

Question by:claud_io
    LVL 32

    Expert Comment

    First of all, there is an easy way to solve this before going for virtual machines/NICs. To what do you connect using the Cisco VPN Client? PIX or a Concentrator?

    On the other end, they should configure something called 'split-tunneling'. What this does is, only those traffic intended for vpn is encrypted and routed to your other end and all your local traffic flows as normal.

    So I would suggest you to talk to the other end person to configure this and will make your life a lot easier. All it takes is to add an entry with an access-list as below;

    access-list <ACL_Name> permit ip <Remote Network> <Remote Mask> <Your Network> <Your Mask>
    vpngroup <VPNGROUP> split-tunnel <ACL_Name>

    The above is for PIX firewall


    Author Comment

    The problem is that the remote machine is property of a customer and he doesn't want to use split-tunneling for security reasons ... so I must use a virtual machine ....
    LVL 32

    Accepted Solution

    Adding another NIC wouldn't solve your problem. What I don't understand is, how is security compromised by enabling Split-Tunneling. Infact by not enabling it, he is letting all your traffic go through him (Even Internet).

    LVL 11

    Assisted Solution

    The way in which a split tunnel can allow compromise..

    Lets draw a small example

    Corp Network ---VPN Concentrator ---- VPN CLient ----PC ----Evil Hacker

    You can be compromised in some fashion by an internet based control mechanism. Then in turn you connect to the VPN. With split tunnelling enabled the Evil Hacker still has access to your machine but now also then has access to the VPN network

    Without split tunneling as soon as the tunnel comes up then access for Evil Hacker drops and is then covered under the security mechanisms of the Corp Network.

    Simplistic example
    LVL 32

    Expert Comment


      This would be a specific attack where in attacker is in need of data from the other network. 70% of the attacks are just destructive where in you inject and then the job is relied on what you are injected. In such cases, whether you enable split tunneling or not it doesn't matter really. Take a Virus, Take a worm. Or even take a backdoor itself; In steps;

    1. First attack the VPN Client.
    2. Second get that into the Corp. Network through the connection.
    3. Then he can get the data directly from Corp. Network (Doesn't have to wait for the data to come back to the VPN Client and then go back to him.

    Also if you note that, we are not talking about a 'home user', the author is trying to connect to the remote Server from his 'Corporate Network'. Adequate Security Measures is a responsibility and I'm sure you'll agree we have to have 2 visions about a 'home user' and 'corp user'.

    And finally absolute security cannot be achieved but we can be pursuing to do it.


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now