Dilan77
asked on
Accessing internet whilst connected to VPN
Hi
I occasionally connect to my office network via a MS PPTP VPN connection configured on my laptop. The connection is to our Cisco PIX 506e which is configured to accept VPN connection from certain users.
PIX config below
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname fwlon
domain-name domain.co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name y.241 mail_outside
name 192.168.1.9 srvroom
name 192.168.1.8 inbound_SMTP
name x.242 HQPIX
name 172.168.0.0 HQ
name y.240 LondonPIX
name 192.168.1.11 DC
name 192.168.1.1 mailserv
name 192.168.1.3 notes
name 192.168.1.4 fileserv
name z.174 Supplier1
name 192.168.10.0 VPN_Pool10
object-group service DNS tcp-udp
description DNS
port-object eq domain
object-group service LANGlobal tcp
group-object DNS
port-object eq ftp
port-object eq pop3
port-object eq domain
port-object eq www
port-object eq https
object-group service test udp
group-object DNS
port-object eq dnsix
port-object eq nameserver
port-object eq domain
access-list outside_access_in remark Allow Mail to SMTP Gateway
access-list outside_access_in remark
access-list outside_access_in permit tcp any host mail_outside eq smtp
access-list outside_access_in remark Allow IPsec Traffic - isakmp
access-list outside_access_in permit udp host HQPIX host y.243 eq isakmp
access-list outside_access_in remark Allow IPsec Traffic - ah
access-list outside_access_in permit ah host HQPIX host y.243
access-list outside_access_in remark Allow IPsec Traffic - esp
access-list outside_access_in permit esp host HQPIX host y.243
access-list outside_access_in remark LANGlobal Service Group Inbound Access
access-list outside_access_in permit tcp any object-group LANGlobal y.0 255.255.255.0 object-group LANGlobal
access-list outside_access_in remark Web Access
access-list outside_access_in permit tcp any host y.242 eq www
access-list outside_access_in remark Deny Port 1434
access-list outside_access_in remark
access-list outside_access_in deny udp any eq 1434 any
access-list outside_access_in remark Allow ICMP
access-list outside_access_in remark
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Deny everything else
access-list outside_access_in deny tcp any any
access-list outside_access_in remark Block everything to come in.
access-list inside_access_in remark Allow IP traffic
access-list inside_access_in permit ip any any
access-list inside_access_in remark Deny UDP Port 1434 Out
access-list inside_access_in deny udp any eq 1434 any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0
access-list inside_outbound_nat0_acl remark NO NAT PPTP
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 VPN_Pool10 255.255.255.0
access-list outside_cryptomap_20 remark HQ VPN
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.7
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside y.243 255.255.255.240
ip address inside 192.168.1.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool10 192.168.10.1-192.168.10.5
pdm location mail_outside 255.255.255.255 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location srvroom 255.255.255.255 inside
pdm location inbound_SMTP 255.255.255.255 inside
pdm location notes 255.255.255.255 inside
pdm location HQ 255.255.252.0 outside
pdm location LondonPIX 255.255.255.255 outside
pdm location HQPIX 255.255.255.255 outside
pdm location LondonPIX 255.255.255.255 inside
pdm location HQ 255.255.0.0 outside
pdm location mailserv 255.255.255.255 inside
pdm location DC 255.255.255.255 inside
pdm location fileserv 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location Supplier1 255.255.255.255 outside
pdm location VPN_Pool10 255.255.255.0 outside
pdm location 192.168.1.14 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) mail_outside inbound_SMTP netmask 255.255.255.255 0 0
static (inside,outside) y.242 192.168.1.14 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 y.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http srvroom 255.255.255.255 inside
http notes 255.255.255.255 inside
http mailserv 255.255.255.255 inside
http DC 255.255.255.255 inside
http fileserv 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer HQPIX
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address HQPIX netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet srvroom 255.255.255.255 inside
telnet mailserv 255.255.255.255 inside
telnet fileserv 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 10
vpdn group VPN2 accept dialin pptp
vpdn group VPN2 ppp authentication mschap
vpdn group VPN2 ppp encryption mppe 128 required
vpdn group VPN2 client configuration address local VPN_Pool10
vpdn group VPN2 client configuration dns fileserv DC
vpdn group VPN2 client configuration wins mailserv
vpdn group VPN2 pptp echo 60
vpdn group VPN2 client authentication local
vpdn username HQ_User1 password *********
vpdn username London_User1 password *********
vpdn username London_User2 password *********
vpdn enable outside
dhcprelay server DC inside
dhcprelay enable outside
dhcprelay setroute outside
username User3 password ** encrypted privilege 15
username User4 password ** encrypted privilege 15
username User5 password ** encrypted privilege 15
terminal width 80
banner exec Authorised access only
banner exec This system is the property of MyCompany
banner exec Disconnect IMMEDIATELY if you are not an authorised user !
banner exec Contact *** for help.
banner exec User Access Verification
banner login Welcome
Cryptochecksum:f739ffe9406
: end
[OK]
On the client side, the security settings are set to typical and 'require encryption (disconnect if none)'. Under networking, 'negotiate multi-link for single-link connections' is unchecked. The laptop is running Windows XP, fully patched.
Everything seems to work fine, except I cannot browse the internet on my laptop when connected via the VPN. This would be useful, so I was wondering if this was possible? It certainly is with some other Firewalls.
Thanks in advance.
I occasionally connect to my office network via a MS PPTP VPN connection configured on my laptop. The connection is to our Cisco PIX 506e which is configured to accept VPN connection from certain users.
PIX config below
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname fwlon
domain-name domain.co.uk
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name y.241 mail_outside
name 192.168.1.9 srvroom
name 192.168.1.8 inbound_SMTP
name x.242 HQPIX
name 172.168.0.0 HQ
name y.240 LondonPIX
name 192.168.1.11 DC
name 192.168.1.1 mailserv
name 192.168.1.3 notes
name 192.168.1.4 fileserv
name z.174 Supplier1
name 192.168.10.0 VPN_Pool10
object-group service DNS tcp-udp
description DNS
port-object eq domain
object-group service LANGlobal tcp
group-object DNS
port-object eq ftp
port-object eq pop3
port-object eq domain
port-object eq www
port-object eq https
object-group service test udp
group-object DNS
port-object eq dnsix
port-object eq nameserver
port-object eq domain
access-list outside_access_in remark Allow Mail to SMTP Gateway
access-list outside_access_in remark
access-list outside_access_in permit tcp any host mail_outside eq smtp
access-list outside_access_in remark Allow IPsec Traffic - isakmp
access-list outside_access_in permit udp host HQPIX host y.243 eq isakmp
access-list outside_access_in remark Allow IPsec Traffic - ah
access-list outside_access_in permit ah host HQPIX host y.243
access-list outside_access_in remark Allow IPsec Traffic - esp
access-list outside_access_in permit esp host HQPIX host y.243
access-list outside_access_in remark LANGlobal Service Group Inbound Access
access-list outside_access_in permit tcp any object-group LANGlobal y.0 255.255.255.0 object-group LANGlobal
access-list outside_access_in remark Web Access
access-list outside_access_in permit tcp any host y.242 eq www
access-list outside_access_in remark Deny Port 1434
access-list outside_access_in remark
access-list outside_access_in deny udp any eq 1434 any
access-list outside_access_in remark Allow ICMP
access-list outside_access_in remark
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Deny everything else
access-list outside_access_in deny tcp any any
access-list outside_access_in remark Block everything to come in.
access-list inside_access_in remark Allow IP traffic
access-list inside_access_in permit ip any any
access-list inside_access_in remark Deny UDP Port 1434 Out
access-list inside_access_in deny udp any eq 1434 any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0
access-list inside_outbound_nat0_acl remark NO NAT PPTP
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 VPN_Pool10 255.255.255.0
access-list outside_cryptomap_20 remark HQ VPN
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 HQ 255.255.252.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.168.1.7
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside y.243 255.255.255.240
ip address inside 192.168.1.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool10 192.168.10.1-192.168.10.5
pdm location mail_outside 255.255.255.255 outside
pdm location 192.168.1.192 255.255.255.224 outside
pdm location srvroom 255.255.255.255 inside
pdm location inbound_SMTP 255.255.255.255 inside
pdm location notes 255.255.255.255 inside
pdm location HQ 255.255.252.0 outside
pdm location LondonPIX 255.255.255.255 outside
pdm location HQPIX 255.255.255.255 outside
pdm location LondonPIX 255.255.255.255 inside
pdm location HQ 255.255.0.0 outside
pdm location mailserv 255.255.255.255 inside
pdm location DC 255.255.255.255 inside
pdm location fileserv 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location Supplier1 255.255.255.255 outside
pdm location VPN_Pool10 255.255.255.0 outside
pdm location 192.168.1.14 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) mail_outside inbound_SMTP netmask 255.255.255.255 0 0
static (inside,outside) y.242 192.168.1.14 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 y.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http srvroom 255.255.255.255 inside
http notes 255.255.255.255 inside
http mailserv 255.255.255.255 inside
http DC 255.255.255.255 inside
http fileserv 255.255.255.255 inside
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer HQPIX
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address HQPIX netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet srvroom 255.255.255.255 inside
telnet mailserv 255.255.255.255 inside
telnet fileserv 255.255.255.255 inside
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 10
vpdn group VPN2 accept dialin pptp
vpdn group VPN2 ppp authentication mschap
vpdn group VPN2 ppp encryption mppe 128 required
vpdn group VPN2 client configuration address local VPN_Pool10
vpdn group VPN2 client configuration dns fileserv DC
vpdn group VPN2 client configuration wins mailserv
vpdn group VPN2 pptp echo 60
vpdn group VPN2 client authentication local
vpdn username HQ_User1 password *********
vpdn username London_User1 password *********
vpdn username London_User2 password *********
vpdn enable outside
dhcprelay server DC inside
dhcprelay enable outside
dhcprelay setroute outside
username User3 password ** encrypted privilege 15
username User4 password ** encrypted privilege 15
username User5 password ** encrypted privilege 15
terminal width 80
banner exec Authorised access only
banner exec This system is the property of MyCompany
banner exec Disconnect IMMEDIATELY if you are not an authorised user !
banner exec Contact *** for help.
banner exec User Access Verification
banner login Welcome
Cryptochecksum:f739ffe9406
: end
[OK]
On the client side, the security settings are set to typical and 'require encryption (disconnect if none)'. Under networking, 'negotiate multi-link for single-link connections' is unchecked. The laptop is running Windows XP, fully patched.
Everything seems to work fine, except I cannot browse the internet on my laptop when connected via the VPN. This would be useful, so I was wondering if this was possible? It certainly is with some other Firewalls.
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As others have suggested, this is not a good idea, but with the Windows PPTP client you should be able to make the change, as outlined by giltjr. With the Cisco client split tunneling has to be made on the Cisco router.
There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check "Use default gateway on remote network"
Again I strongly recomend against this.
There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check "Use default gateway on remote network"
Again I strongly recomend against this.
>MS PPTP VPN connection configured on my laptop.
Easy enough to bypass as Rob demonstrates above by simply un-checking Use Default gateway on remote network in the Microsoft VPN Dialer properties. However, given the below information in your PIX config:
ip address inside 192.168.1.5 255.255.255.0
ip local pool VPN_Pool10 192.168.10.1-192.168.10.5
Since you are using two different class C network subnets for inside and for VPN clients (as it should be), then if you un-check the option in the MS client, you will not be able to access anything on the inside of the PIX. You can see this from "C:\>route print" However, Microsoft plays nice (not secure, but nice) and let's the user overcome this by simply adding a route statement.
First, use IPCONFIG to see what IP address you get from the pool. Then, make some manual route changes in a DOS prompt:
C:\>route delete 0.0.0.0 mask 0.0.0.0
C:\>route add 0.0.0.0 mask 0.0.0.0 192.168.100.1 <== my local LAN gateway
C:\>route add 192.168.10.0 mask 255.255.255.0 192.168.10.2 <== my VPN client IP
Again, the ability for any user on their home network to simply manipulate the split-tunneling behavior, and to manipulate the routing tables is a HUGE security issue when using Microsoft PPTP VPN Dialer client.
Easy enough to bypass as Rob demonstrates above by simply un-checking Use Default gateway on remote network in the Microsoft VPN Dialer properties. However, given the below information in your PIX config:
ip address inside 192.168.1.5 255.255.255.0
ip local pool VPN_Pool10 192.168.10.1-192.168.10.5
Since you are using two different class C network subnets for inside and for VPN clients (as it should be), then if you un-check the option in the MS client, you will not be able to access anything on the inside of the PIX. You can see this from "C:\>route print" However, Microsoft plays nice (not secure, but nice) and let's the user overcome this by simply adding a route statement.
First, use IPCONFIG to see what IP address you get from the pool. Then, make some manual route changes in a DOS prompt:
C:\>route delete 0.0.0.0 mask 0.0.0.0
C:\>route add 0.0.0.0 mask 0.0.0.0 192.168.100.1 <== my local LAN gateway
C:\>route add 192.168.10.0 mask 255.255.255.0 192.168.10.2 <== my VPN client IP
Again, the ability for any user on their home network to simply manipulate the split-tunneling behavior, and to manipulate the routing tables is a HUGE security issue when using Microsoft PPTP VPN Dialer client.
ASKER
Thanks Guys, think I'll leave it as is ;)
There are two "exceptional" cases of traffic when you use a VPN connection. In the most strict and controlled environment, once the tunnel is up, ALL of your traffic goes through the tunnel, and access to any local subnets is firewalled. This prevents any traffic from intentionally or otherwise crossing between the tunnel that does not originate with the cleint.
In a less restrictive manner, local LAN access is permitted, so you can at least access your local subnet.
What you are after is called "split-tunneling". With a split tunnel, the client establishes the tunnel connection, and you specify at the PIX which internal subnets can be reached via VPN. These subnets (and only these subnets) are communicated back to the client during tunnel establishment and are inserted into your routing table. Any traffic destined for those subnets goes over the tunnel, but your "default route" remains unchanged, so you can access the internet from the client the same as you would if the tunnel wasn't even there.
The final piece of the puzzle is "split-DNS". Normally, when the tunnel is established, the PIX will supply you with one or more DNS servers that are checked before your "usual DNS" servers. This allows you to resolve names which may exist on the other end of the VPN, but are not part of the regular DNS space, or to resolve names which do to their internal IP addresses rather than their public ones. In "split-DNS" you can specify a list of domains which are to be looked up via the VPN-supplied DNS, but only those domains.
These are largely functions of the VPN client side (although they are 'assisted' by the PIX). I don't know if they can be done with the XP builtin, but you can certainly do them with the Cisco client.