• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 405
  • Last Modified:

Cisco VPN and LAN/Internet access

I use Cisco VPN client to connect to a remote system from my corporate LAN.
My PC has Windows XP SP2.

Cisco server blocks access to my LAN and internet so I uses a virtual machine only dedicated to the VPN so I can access to LAN and internet from my physical PC and VPN from the virtual machine.

Since I spend more time using the VPN, I'd like to invert the situation, have the VPN on the physical PC and LAN and internet on the virtual machine: I know this isn't possible, but my question is this: in case I add a second NIC, is it possible to use from physical PC one NIC decicated to the VPN and from the virtual machine the other NIC dedicated to LAN and internet access?
If so, is there any particular configuaration to set?

  • 3
2 Solutions
First of all, there is an easy way to solve this before going for virtual machines/NICs. To what do you connect using the Cisco VPN Client? PIX or a Concentrator?

On the other end, they should configure something called 'split-tunneling'. What this does is, only those traffic intended for vpn is encrypted and routed to your other end and all your local traffic flows as normal.

So I would suggest you to talk to the other end person to configure this and will make your life a lot easier. All it takes is to add an entry with an access-list as below;

access-list <ACL_Name> permit ip <Remote Network> <Remote Mask> <Your Network> <Your Mask>
vpngroup <VPNGROUP> split-tunnel <ACL_Name>

The above is for PIX firewall

claud_ioAuthor Commented:
The problem is that the remote machine is property of a customer and he doesn't want to use split-tunneling for security reasons ... so I must use a virtual machine ....
Adding another NIC wouldn't solve your problem. What I don't understand is, how is security compromised by enabling Split-Tunneling. Infact by not enabling it, he is letting all your traffic go through him (Even Internet).

The way in which a split tunnel can allow compromise..

Lets draw a small example

Corp Network ---VPN Concentrator ---- VPN CLient ----PC ----Evil Hacker

You can be compromised in some fashion by an internet based control mechanism. Then in turn you connect to the VPN. With split tunnelling enabled the Evil Hacker still has access to your machine but now also then has access to the VPN network

Without split tunneling as soon as the tunnel comes up then access for Evil Hacker drops and is then covered under the security mechanisms of the Corp Network.

Simplistic example

  This would be a specific attack where in attacker is in need of data from the other network. 70% of the attacks are just destructive where in you inject and then the job is relied on what you are injected. In such cases, whether you enable split tunneling or not it doesn't matter really. Take a Virus, Take a worm. Or even take a backdoor itself; In steps;

1. First attack the VPN Client.
2. Second get that into the Corp. Network through the connection.
3. Then he can get the data directly from Corp. Network (Doesn't have to wait for the data to come back to the VPN Client and then go back to him.

Also if you note that, we are not talking about a 'home user', the author is trying to connect to the remote Server from his 'Corporate Network'. Adequate Security Measures is a responsibility and I'm sure you'll agree we have to have 2 visions about a 'home user' and 'corp user'.

And finally absolute security cannot be achieved but we can be pursuing to do it.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now