We help IT Professionals succeed at work.

Cisco VPN - Cannot Surf the Web at Home While VPN is Connected

Medium Priority
1,024 Views
Last Modified: 2013-11-16
I cannot surf the internet or see my home network while I am connected with Cisco VPN.  Is there a way around this?  

Thanks in advance.

TJ
Comment
Watch Question

This is normal behavior for VPN. This is a method of securing the VPN network from where you are connecting from. You need to talk to your administrator to allow split tunneling. They may not allow this for security purpose

Author

Commented:
I am the administrator.  LOL.  We had a company come in to install the Cisco PIX 501, because I do not have my Cisco certs(yet).  Is this something I can do by connecting to the router?
Network Security Engineer
CERTIFIED EXPERT
Commented:
ON the pix add this:

access-list split permit ip localLANipaddress subnetmask vpnpoolipaddress subnetmask

Then add this to the vpngroup:

vpngroup YourVPNGroup split-tunnel split

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
is that the EXACT command I need to use on the PIX?  Just making sure.  I will give it a try.  

Thanks

Commented:
Also on the client, there is an option to change to allow split tunneling. but this "can" be forced down from the pix. but might want to check.
Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
yes it is but obviously you need to replace localLANipaddress with the network address on the PIX LAN and vpnpoolipaddress with the vpnpool you are using.

IE:

access-list split permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

you can find out what the vpnpool subnet used is by looking at the config under:

ip local pool

if you need more details you can post a sanatized version of your config, and i can give you more presice instructions.

Author

Commented:
would this command work?

vpngroup buckstaffuser split-tunnel nonat
Yves AccadNetwork Security Engineer
CERTIFIED EXPERT

Commented:
yes this will work because most probably if you already have an access-list nonat it would be defining the correct set of ips which are the ones that define the vpn tunnel.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.