Solved

No Internet Access through VPN

Posted on 2006-06-17
15
5,948 Views
Last Modified: 2010-08-05
Firstly let me start by describing what I have:

I am running a Windows Server 2003 machine as a VPN server using RRAS (no special encryption, just a standard PPTP connection) between this and the internet I have a Cisco 2600 series router which routes all non-local packets to my Cisco PIX 515 firewall. The firewall has the necessary configuration to permit the VPN and the router is configured to bounce packets properly - this is evident because internal clients can browse the web and do other stuff on-line. I am also running a windows 2000 server that is part of the same domain with ISA 2000 server running as a proxy to facilitate authenticated access to the internet for my internal clients.

I have a Windows XP SP2 machine at home which has a VPN client installed on it. When I fire up the VPN it connects perfectly and I can ping/browse the servers on the remote location without any problems. the RRAS server allocates the Windows XP VPN client an IP address which seems to work fine until the point where I try to get out onto the internet through the VPN connection. Regardless of whether I try to use the proxy server address to get out or just leave it blank I just get no kind of internet access at all. Does anyone have any experience of this or have any suggestions?.
0
Comment
Question by:Steve Gould
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 200 total points
Comment Utility
The VPN client intentionally block local traffic to your local network and the Internet. This is a security feature to protect the corporate network from your local network. You can disable this but be aware it is a security feature. To do so go to:
control panel | network connections | right click on the VPN virtual adapter | networking | TCP/IP -properties | advanced | General | un-check "used default gateway on remote network"
0
 
LVL 6

Expert Comment

by:Booda2us
Comment Utility
Hi Steve, I beleive the problem you are having is that the IP address you are trying to connect to Internet with is an Internal IP that can't be seen by the rest of the Internet. To connect to internet youll need to configure your router to forward incoming requests to your PC. I'm not sure if the Cisco 2600 will allow this.Here are a couple of links for more info:
www.csrc.nist.gov/pcig/CHECKLISTS/ cisco-router-checklist-procedure-guide-for-network-checkli.pdf
www.cisco.com/en/US/products/ hw/routers/ps259/index.html
Hope this helps...Booda2us
0
 
LVL 6

Expert Comment

by:Booda2us
Comment Utility
Steve- Have you tried configuring the ISA router and 200 Server to set you up as an internal client?...Booda2us
0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
Your VPN client neds to use the gateway for your network to access the internet thrugh the VPN.

What is happening is your network adapter on your computer has a gateway assigned to it and all trafic to the internet is being sent to that gateway, but the VPN client is preventing that (normal and should not be changed).  What you need to do is set the VPN clien to use the remote gateway when the VPN is connected, this is configured in different ways on different clients.  Once you have the VPN client set to use the remote gate way you will be able to access the internet thrugh the office network when connected to the VPN, and thrugh your ISP's gateway when not connected to the VPN.

eb

0
 
LVL 3

Author Comment

by:Steve Gould
Comment Utility
Thanks for the prompt input.

Robwill:

I suppose that is a workable solution but I was looking to use the ISA 2000 proxy server on my remote network to actually filter and log traffic for my VPN clients rather than just offer them a local breakout to the web and other internet based services. Incidentally, the ISA server runs as a proxy for my internal clients without any issues at all. The VPN client can see the proxy server and ping it but when I enter the proxy details in IE on the VPN client, there is no web access.

Booda2us:

Good idea, but my PIX 515 is already set to use NAT for my local network. So all clients that have direct rules on the PIX can get out to the Internet through a default IP address or if they try to use the ISA Proxy they get out with the Internet address that has been assigned to that. As I said above, the access works fine for internal clients on my LAN and as far as IP configurations go the only difference I can see from the IP config on a local client to the IP config on the VPN client is that the default gateway is set to the local machine rather than the 2600 router (which is the core router on my network). I'm guessing the VPN client has its own IP as the default gateway so that it can forward packets on the remote network in order to use the remote local gateway.

ebjers:

I see what you are saying here, but in the VPN client config on my remote machine I cannot see a way to manually configure the gateway IP address. As I said above, when I run '/ipconfig /all' on the VPN client, the default gateway is set as the local IP - i'd like to change it to the 2600 router's address but the config doesn't seem to have the ability to alter this setting. I'm guessing it gets that information from the RRAS.
0
 
LVL 6

Expert Comment

by:Booda2us
Comment Utility
steve, Have you disabled DHCP on your home machine? Booda2us
0
 
LVL 3

Author Comment

by:Steve Gould
Comment Utility
Booda2us:

My home machine has the DHCP service running but it requires that in order to get a local IP from my Linksys ADSL gateway that i'm using to get out onto the internet. I have looked at the VPN connection properties and have tried disabling the DHCP allocated address and putting a static address in that is within the acceptable range of my remote network. I have also allocated DNS servers as they should be. When the connection tries to initialise it tells me that the address has been rejected. Following this I tried different addresses from different parts of the range and still the same result. As I said previously, the site to site connection works fine... I can browse web servers at the remote site without an issue (windows sharepoint and outlook web access) its just when it tries to break out of the remote network to get onto the internet. I've been trying to establish whether this is a traffic routing issue or a software issue (ISA server), I'm just drawing a blank at the moment.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Take a look at 3 IP subnets and see if there is any overlap:
1 - your home lan subnet - probably 192.168.1.x
2 - the IP subnet that your vpn client gets assigned
3 - the IP subnet of the corporate LAN

You have big problems if both the corporate LAn and your home LAN are the same IP subnet range

If not, what VPN client are you using? Are you using the VPN capabilities of the PIX FW and connecting using the Cisco VPN client? Or the Microsoft PPTP client? Or are you connecting "through" the firewall directly to an RRAS Windows server?

You -DSL--- Internet ----2600--PIX--RRAS---LAN
                                                                 \
                                                                Proxy

Is the above accurate?
How many NICs in the RRAS server? Is this its only function?

0
 
LVL 3

Author Comment

by:Steve Gould
Comment Utility
lrmoore:

I'm afraid the three subnets are all the same IP range - 192.168.1.x. Basically, I have the RRAS server looking at the LAN's DHCP server (running from a Cisco switch stack) and allocating IPs to the VPN clients from there. When I do 'ipconfig /all' on my home client, it looks like this...

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : WAG54GX2
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 212.104.130.9
                                            212.104.130.65
        Lease Obtained. . . . . . . . . . : 18 June 2006 11:35:25
        Lease Expires . . . . . . . . . . : 19 June 2006 11:35:25

PPP adapter VPN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.107
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.1.107
        DNS Servers . . . . . . . . . . . : 192.168.1.13
                                            192.168.1.15
        Primary WINS Server . . . . . . . : 192.168.1.15

I am using the standard VPN client that comes bundled with Windows XP, nothing special about it - just a standard configuration. I have ports open on the PIX to allow my static IP from home to establish the VPN connection directly with the RRAS server.

Your diagram should read: me --> DSL --> Internet --> PIX --> 2600 --> RRAS --> LAN --> Proxy

The RRAS has one NIC and yes, this is its only function.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Well, the issue is that your home LAN and the remote LAN are the same 192.168.1.x IP subnet. Easier to change your home network to something else than it is to change all of the office servers/stuff..
Suggest using something in the higher, less-used range like 192.168.250.x for your home LAN.

You have NO CHOICE but to change one of them.
You will have the same problem with all of your other VPN users if they also have 192.168.1.x at home.
Never, ever, ever use 192.168.0.0, 192.168.1.0, 10.0.0.0, 10.10.10.0 at any office/company where you intend to have remote users VPN in. Those are the 4 most-used private ip subnets for all home users, hotels, motels, etc, and you will always have access problems.

0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
If you are using the VPN client that comes with XP do this:

1) Go to the Control Panel
    If classic view go to Network Connections
    If catagory view go to Network and Internet Connections then Network Connections

2) Right click your VPN connection and go to Properties

3) On the Network Tab select Internet Protical (TCP/IP) and click properties

4) Click the advanced button

5) Make sure 'Use default gateway on remote network' is checked

6) Click OK to close all the windows


Also as Lrmoore stated change the subnet of your home network to something like 192.168.178.x both networks should not have the same IP subnets.

eb
0
 
LVL 3

Author Comment

by:Steve Gould
Comment Utility
lrmoore:

Ok good suggestion. I have changed the IP on my Linksys ADSL router which also acts as my home DHCP server. This in turn changed my home PC's IP to something in the 192.168.250.x range as suggested. However, when I establish the VPN connection I get exactly the same results as I did when my range was 192.168.1.x.

'ipconfig /all' reads:

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : WAG54GX2
        Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.250.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.250.1
        DHCP Server . . . . . . . . . . . : 192.168.250.1
        DNS Servers . . . . . . . . . . . : 212.104.130.9
                                            212.104.130.65
        Lease Obtained. . . . . . . . . . : 18 June 2006 15:45:16
        Lease Expires . . . . . . . . . . : 19 June 2006 15:45:16

PPP adapter VPN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . :
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.132
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.1.132
        DNS Servers . . . . . . . . . . . : 192.168.1.13
                                            192.168.1.15

I can see where you were going with this solution and it is something to bear in mind for the future when I deploy this solution to my remote workers, but as far as this internet access problem goes, its a non-starter.

ebjers:

Made sure that is checked, thanks - still failing though.
0
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 300 total points
Comment Utility
OK try unchecking it (I haven't used windows VPN client in a long time so can't remember what you need to do).

The IP settings you are getting are correct;

The first set (182.168.250.x) is your local NIC connected to your router and getting it's IP from there

The second set (192.168.1.x) is your VPN connection and getting it's IP from your VPN server's DHCP

You also need to check the routs on the VPN server, again I haven't used Windows VPN in a long time so I can't give you too many details with out my book (about 300 miles north of my current location)

eb
0
 
LVL 3

Author Comment

by:Steve Gould
Comment Utility
ebjers:

I unchecked the 'Use default gateway on remote network' check box and that did allow me to break out to the internet while I was connected to the VPN. However, I specifically wanted to use the proxy server (in the office) for gaining web access and the like because it afforded me a greater degree of control and monitoring over what people were doing on-line - VPN client or not. If my time runs out then I will have to roll the solution out like this but if at all possible I would like to figure out why it can't seem to gain access through the VPN connection.

This may help: I have been altering the configuration of my PIX 515 to try and establish if the problem is related to routing within the firewall. At one point I added a defined host as the internal IP address allocated to the VPN client and then allowed that IP to break out to the internet through the firewall through TCP/UDP/ICMP and IP. This did work (as I could browse the net without unchecking the 'Use default gateway on remote network' check box on the VPN client), although i'm not entirely sure it was using the proxy server to facilitate the connection - I was just going straight out onto the net through the firewall at the remote site.
0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
OK, I beleive you have to configure IE to use a proxy server, unless your proxy is in the only path to the internet.  I know if you want the VPN clients to access the internet thrugh your network you need to have routs in your RRAS settings to allow this.  I think unchecking the 'Use default gateway on remote network...' is allowing you to connect to the internet using your local internet connection and not the one on your office network.

If I remember correctly the PIX can be used a s a VPN server and you can get a VPN client for it from CISCO (may be free since you have the PIX).  You may want to try this config (VPN to the PIX, then into your network)  This is how I do it (but I use a CISCO concentrator for more power) and I can access the internet thrug my corprate network when connected to the VPN.  Also this is a more secure VPN solution.  I can't tell you how to configure the PIX for VPN, but I'm sure someone here can.

eb
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now