Solved

Accessing internet whilst connected to VPN

Posted on 2006-11-18
5
567 Views
Last Modified: 2008-02-01
Hi

I occasionally connect to my office network via a MS PPTP VPN connection configured on my laptop. The connection is to our Cisco PIX 506e which is configured to accept VPN connection from certain users.

PIX config below

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname fwlon
domain-name domain.co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name y.241 mail_outside
name 192.168.1.9 srvroom
name 192.168.1.8 inbound_SMTP
name x.242 HQPIX
name 172.168.0.0 HQ
name y.240 LondonPIX
name 192.168.1.11 DC
name 192.168.1.1 mailserv
name 192.168.1.3 notes
name 192.168.1.4 fileserv
name z.174 Supplier1
name 192.168.10.0 VPN_Pool10
object-group service DNS tcp-udp
  description DNS
  port-object eq domain
object-group service LANGlobal tcp
  group-object DNS
  port-object eq ftp
  port-object eq pop3
  port-object eq domain
  port-object eq www
  port-object eq https
object-group service test udp
  group-object DNS
  port-object eq dnsix
  port-object eq nameserver
  port-object eq domain
access-list outside_access_in remark Allow Mail to SMTP Gateway
access-list outside_access_in remark
access-list outside_access_in permit tcp any host mail_outside eq smtp
access-list outside_access_in remark Allow IPsec Traffic - isakmp
access-list outside_access_in permit udp host HQPIX host y.243 eq isakmp
access-list outside_access_in remark Allow IPsec Traffic - ah
access-list outside_access_in permit ah host HQPIX host y.243
access-list outside_access_in remark Allow IPsec Traffic - esp
access-list outside_access_in permit esp host HQPIX host y.243
access-list outside_access_in remark LANGlobal Service Group Inbound Access
access-list outside_access_in permit tcp any object-group LANGlobal y.0 255.255.255.0 object-group LANGlobal
access-list outside_access_in remark Web Access
access-list outside_access_in permit tcp any host y.242 eq www
access-list outside_access_in remark Deny Port 1434
access-list outside_access_in remark
access-list outside_access_in deny udp any eq 1434 any
access-list outside_access_in remark Allow ICMP
access-list outside_access_in remark
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Deny everything else
access-list outside_access_in deny tcp any any
access-list outside_access_in remark Block everything to come in.
access-list inside_access_in remark Allow IP traffic
access-list inside_access_in permit ip any any
access-list inside_access_in remark Deny UDP Port 1434 Out
access-list inside_access_in deny udp any eq 1434 any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0
access-list inside_outbound_nat0_acl remark NO NAT PPTP
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 VPN_Pool10 255.255.255.0
access-list outside_cryptomap_20 remark HQ VPN
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.7
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside y.243 255.255.255.240
ip address inside 192.168.1.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool10 192.168.10.1-192.168.10.5
pdm location mail_outside 255.255.255.255 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location srvroom 255.255.255.255 inside
pdm location inbound_SMTP 255.255.255.255 inside
pdm location notes 255.255.255.255 inside
pdm location HQ 255.255.252.0 outside
pdm location LondonPIX 255.255.255.255 outside
pdm location HQPIX 255.255.255.255 outside
pdm location LondonPIX 255.255.255.255 inside
pdm location HQ 255.255.0.0 outside
pdm location mailserv 255.255.255.255 inside
pdm location DC 255.255.255.255 inside
pdm location fileserv 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location Supplier1 255.255.255.255 outside
pdm location VPN_Pool10 255.255.255.0 outside
pdm location 192.168.1.14 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) mail_outside inbound_SMTP netmask 255.255.255.255 0 0
static (inside,outside) y.242 192.168.1.14 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 y.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http srvroom 255.255.255.255 inside
http notes 255.255.255.255 inside
http mailserv 255.255.255.255 inside
http DC 255.255.255.255 inside
http fileserv 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer HQPIX
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address HQPIX netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet srvroom 255.255.255.255 inside
telnet mailserv 255.255.255.255 inside
telnet fileserv 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 10
vpdn group VPN2 accept dialin pptp
vpdn group VPN2 ppp authentication mschap
vpdn group VPN2 ppp encryption mppe 128 required
vpdn group VPN2 client configuration address local VPN_Pool10
vpdn group VPN2 client configuration dns fileserv DC
vpdn group VPN2 client configuration wins mailserv
vpdn group VPN2 pptp echo 60
vpdn group VPN2 client authentication local
vpdn username HQ_User1 password *********
vpdn username London_User1 password *********
vpdn username London_User2 password *********
vpdn enable outside
dhcprelay server DC inside
dhcprelay enable outside
dhcprelay setroute outside
username User3 password ** encrypted privilege 15
username User4 password ** encrypted privilege 15
username User5 password ** encrypted privilege 15
terminal width 80
banner exec Authorised access only
banner exec This system is the property of MyCompany
banner exec Disconnect IMMEDIATELY if you are not an authorised user !
banner exec Contact *** for help.
banner exec User Access Verification
banner login Welcome
Cryptochecksum:f739ffe940683c93b8db43026b426496
: end
[OK]

On the client side, the security settings are set to typical and 'require encryption (disconnect if none)'. Under networking, 'negotiate multi-link for single-link connections' is unchecked. The laptop is running Windows XP, fully patched.

Everything seems to work fine, except I cannot browse the internet on my laptop when connected via the VPN. This would be useful, so I was wondering if this was possible? It certainly is with some other Firewalls.

Thanks in advance.

0
Comment
Question by:Dilan77
5 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 17971725
Technically it is possible.  However, this means that your laptop could be used as a router between the Internet and your internal network.  This is exactly how MS network was broken into a couple of years ago.


I will assume that you want to access the Internet directly from your laptop and not through the VPN tunnel.  To do this you need to alter the settings on your laptop.  By defualt most VPN connections are setup so that your computers default route gets changed to use the VPN.  Most VPN's are setup so that your can't access the Internet through them as this doubles the amount traffic over the Internet connection where the VPN sever resided.  So you need to alter your laptops settings so that it does not use the VPN connection as the default route.  How you do this will depend on what VPN client you use.
0
 
LVL 5

Expert Comment

by:jeffkell
ID: 17971790
I'm not a guru on XP's built-in VPN, but manage lots of connections using the Cisco VPN client to a PIX.  If nothing else, you can certainly do this using Cisco's VPN client.

There are two "exceptional" cases of traffic when you use a VPN connection.  In the most strict and controlled environment, once the tunnel is up, ALL of your traffic goes through the tunnel, and access to any local subnets is firewalled.  This prevents any traffic from intentionally or otherwise crossing between the tunnel that does not originate with the cleint.

In a less restrictive manner, local LAN access is permitted, so you can at least access your local subnet.  

What you are after is called "split-tunneling".  With a split tunnel, the client establishes the tunnel connection, and you specify at the PIX which internal subnets can be reached via VPN.  These subnets (and only these subnets) are communicated back to the client during tunnel establishment and are inserted into your routing table.  Any traffic destined for those subnets goes over the tunnel, but your "default route" remains unchanged, so you can access the internet from the client the same as you would if the tunnel wasn't even there.

The final piece of the puzzle is "split-DNS".  Normally, when the tunnel is established, the PIX will supply you with one or more DNS servers that are checked before your "usual DNS" servers.  This allows you to resolve names which may exist on the other end of the VPN, but are not part of the regular DNS space, or to resolve names which do to their internal IP addresses rather than their public ones.  In "split-DNS" you can specify a list of domains which are to be looked up via the VPN-supplied DNS, but only those domains.

These are largely functions of the VPN client side (although they are 'assisted' by the PIX).  I don't know if they can be done with the XP builtin, but you can certainly do them with the Cisco client.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17971803
As others have suggested, this is not a good idea, but with the Windows PPTP client you should be able to make the change, as outlined by giltjr. With the Cisco client split tunneling has to be made on the Cisco router.

There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"

Again I strongly recomend against this.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17971903
>MS PPTP VPN connection configured on my laptop.
Easy enough to bypass as Rob demonstrates above by simply un-checking Use Default gateway on remote network in the Microsoft VPN Dialer properties. However, given the below information in your PIX config:
ip address inside 192.168.1.5 255.255.255.0
ip local pool VPN_Pool10 192.168.10.1-192.168.10.5

Since you are using two different class C network subnets for inside and for VPN clients (as it should be), then if you un-check the option in the MS client, you will not be able to access anything on the inside of the PIX. You can see this from "C:\>route print" However, Microsoft plays nice (not secure, but nice) and let's the user overcome this by simply adding a route statement.
First, use IPCONFIG to see what IP address you get from the pool. Then, make some manual route changes in a DOS prompt:
C:\>route delete 0.0.0.0 mask 0.0.0.0
C:\>route add 0.0.0.0 mask 0.0.0.0 192.168.100.1 <== my local LAN gateway
C:\>route add 192.168.10.0 mask 255.255.255.0 192.168.10.2  <== my VPN client IP

Again, the ability for any user on their home network to simply manipulate the split-tunneling behavior, and to manipulate the routing tables is a HUGE security issue when using Microsoft PPTP VPN Dialer client.

0
 
LVL 2

Author Comment

by:Dilan77
ID: 17975963
Thanks Guys, think I'll leave it as is ;)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now