Cisco VPN - Cannot Surf the Web at Home While VPN is Connected

I cannot surf the internet or see my home network while I am connected with Cisco VPN.  Is there a way around this?  

Thanks in advance.

Who is Participating?
Yves AccadConnect With a Mentor Network Security EngineerCommented:
ON the pix add this:

access-list split permit ip localLANipaddress subnetmask vpnpoolipaddress subnetmask

Then add this to the vpngroup:

vpngroup YourVPNGroup split-tunnel split
This is normal behavior for VPN. This is a method of securing the VPN network from where you are connecting from. You need to talk to your administrator to allow split tunneling. They may not allow this for security purpose
buckstaffAuthor Commented:
I am the administrator.  LOL.  We had a company come in to install the Cisco PIX 501, because I do not have my Cisco certs(yet).  Is this something I can do by connecting to the router?
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

buckstaffAuthor Commented:
is that the EXACT command I need to use on the PIX?  Just making sure.  I will give it a try.  

Also on the client, there is an option to change to allow split tunneling. but this "can" be forced down from the pix. but might want to check.
Yves AccadNetwork Security EngineerCommented:
yes it is but obviously you need to replace localLANipaddress with the network address on the PIX LAN and vpnpoolipaddress with the vpnpool you are using.


access-list split permit ip

you can find out what the vpnpool subnet used is by looking at the config under:

ip local pool

if you need more details you can post a sanatized version of your config, and i can give you more presice instructions.
buckstaffAuthor Commented:
would this command work?

vpngroup buckstaffuser split-tunnel nonat
Yves AccadNetwork Security EngineerCommented:
yes this will work because most probably if you already have an access-list nonat it would be defining the correct set of ips which are the ones that define the vpn tunnel.

All Courses

From novice to tech pro — start learning today.