Accessing internet whilst connected to VPN


I occasionally connect to my office network via a MS PPTP VPN connection configured on my laptop. The connection is to our Cisco PIX 506e which is configured to accept VPN connection from certain users.

PIX config below

Building configuration...
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname fwlon
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
name y.241 mail_outside
name srvroom
name inbound_SMTP
name x.242 HQPIX
name HQ
name y.240 LondonPIX
name DC
name mailserv
name notes
name fileserv
name z.174 Supplier1
name VPN_Pool10
object-group service DNS tcp-udp
  description DNS
  port-object eq domain
object-group service LANGlobal tcp
  group-object DNS
  port-object eq ftp
  port-object eq pop3
  port-object eq domain
  port-object eq www
  port-object eq https
object-group service test udp
  group-object DNS
  port-object eq dnsix
  port-object eq nameserver
  port-object eq domain
access-list outside_access_in remark Allow Mail to SMTP Gateway
access-list outside_access_in remark
access-list outside_access_in permit tcp any host mail_outside eq smtp
access-list outside_access_in remark Allow IPsec Traffic - isakmp
access-list outside_access_in permit udp host HQPIX host y.243 eq isakmp
access-list outside_access_in remark Allow IPsec Traffic - ah
access-list outside_access_in permit ah host HQPIX host y.243
access-list outside_access_in remark Allow IPsec Traffic - esp
access-list outside_access_in permit esp host HQPIX host y.243
access-list outside_access_in remark LANGlobal Service Group Inbound Access
access-list outside_access_in permit tcp any object-group LANGlobal y.0 object-group LANGlobal
access-list outside_access_in remark Web Access
access-list outside_access_in permit tcp any host y.242 eq www
access-list outside_access_in remark Deny Port 1434
access-list outside_access_in remark
access-list outside_access_in deny udp any eq 1434 any
access-list outside_access_in remark Allow ICMP
access-list outside_access_in remark
access-list outside_access_in permit icmp any any
access-list outside_access_in remark Deny everything else
access-list outside_access_in deny tcp any any
access-list outside_access_in remark Block everything to come in.
access-list inside_access_in remark Allow IP traffic
access-list inside_access_in permit ip any any
access-list inside_access_in remark Deny UDP Port 1434 Out
access-list inside_access_in deny udp any eq 1434 any
access-list inside_outbound_nat0_acl permit ip HQ
access-list inside_outbound_nat0_acl remark NO NAT PPTP
access-list inside_outbound_nat0_acl permit ip VPN_Pool10
access-list outside_cryptomap_20 remark HQ VPN
access-list outside_cryptomap_20 permit ip HQ
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside y.243
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool10
pdm location mail_outside outside
pdm location outside
pdm location srvroom inside
pdm location inbound_SMTP inside
pdm location notes inside
pdm location HQ outside
pdm location LondonPIX outside
pdm location HQPIX outside
pdm location LondonPIX inside
pdm location HQ outside
pdm location mailserv inside
pdm location DC inside
pdm location fileserv inside
pdm location inside
pdm location inside
pdm location Supplier1 outside
pdm location VPN_Pool10 outside
pdm location inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) mail_outside inbound_SMTP netmask 0 0
static (inside,outside) y.242 netmask 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside y.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http srvroom inside
http notes inside
http mailserv inside
http DC inside
http fileserv inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer HQPIX
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address HQPIX netmask no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet srvroom inside
telnet mailserv inside
telnet fileserv inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 10
vpdn group VPN2 accept dialin pptp
vpdn group VPN2 ppp authentication mschap
vpdn group VPN2 ppp encryption mppe 128 required
vpdn group VPN2 client configuration address local VPN_Pool10
vpdn group VPN2 client configuration dns fileserv DC
vpdn group VPN2 client configuration wins mailserv
vpdn group VPN2 pptp echo 60
vpdn group VPN2 client authentication local
vpdn username HQ_User1 password *********
vpdn username London_User1 password *********
vpdn username London_User2 password *********
vpdn enable outside
dhcprelay server DC inside
dhcprelay enable outside
dhcprelay setroute outside
username User3 password ** encrypted privilege 15
username User4 password ** encrypted privilege 15
username User5 password ** encrypted privilege 15
terminal width 80
banner exec Authorised access only
banner exec This system is the property of MyCompany
banner exec Disconnect IMMEDIATELY if you are not an authorised user !
banner exec Contact *** for help.
banner exec User Access Verification
banner login Welcome
: end

On the client side, the security settings are set to typical and 'require encryption (disconnect if none)'. Under networking, 'negotiate multi-link for single-link connections' is unchecked. The laptop is running Windows XP, fully patched.

Everything seems to work fine, except I cannot browse the internet on my laptop when connected via the VPN. This would be useful, so I was wondering if this was possible? It certainly is with some other Firewalls.

Thanks in advance.

Who is Participating?

Improve company productivity with a Business Account.Sign Up

giltjrConnect With a Mentor Commented:
Technically it is possible.  However, this means that your laptop could be used as a router between the Internet and your internal network.  This is exactly how MS network was broken into a couple of years ago.

I will assume that you want to access the Internet directly from your laptop and not through the VPN tunnel.  To do this you need to alter the settings on your laptop.  By defualt most VPN connections are setup so that your computers default route gets changed to use the VPN.  Most VPN's are setup so that your can't access the Internet through them as this doubles the amount traffic over the Internet connection where the VPN sever resided.  So you need to alter your laptops settings so that it does not use the VPN connection as the default route.  How you do this will depend on what VPN client you use.
I'm not a guru on XP's built-in VPN, but manage lots of connections using the Cisco VPN client to a PIX.  If nothing else, you can certainly do this using Cisco's VPN client.

There are two "exceptional" cases of traffic when you use a VPN connection.  In the most strict and controlled environment, once the tunnel is up, ALL of your traffic goes through the tunnel, and access to any local subnets is firewalled.  This prevents any traffic from intentionally or otherwise crossing between the tunnel that does not originate with the cleint.

In a less restrictive manner, local LAN access is permitted, so you can at least access your local subnet.  

What you are after is called "split-tunneling".  With a split tunnel, the client establishes the tunnel connection, and you specify at the PIX which internal subnets can be reached via VPN.  These subnets (and only these subnets) are communicated back to the client during tunnel establishment and are inserted into your routing table.  Any traffic destined for those subnets goes over the tunnel, but your "default route" remains unchanged, so you can access the internet from the client the same as you would if the tunnel wasn't even there.

The final piece of the puzzle is "split-DNS".  Normally, when the tunnel is established, the PIX will supply you with one or more DNS servers that are checked before your "usual DNS" servers.  This allows you to resolve names which may exist on the other end of the VPN, but are not part of the regular DNS space, or to resolve names which do to their internal IP addresses rather than their public ones.  In "split-DNS" you can specify a list of domains which are to be looked up via the VPN-supplied DNS, but only those domains.

These are largely functions of the VPN client side (although they are 'assisted' by the PIX).  I don't know if they can be done with the XP builtin, but you can certainly do them with the Cisco client.
Rob WilliamsCommented:
As others have suggested, this is not a good idea, but with the Windows PPTP client you should be able to make the change, as outlined by giltjr. With the Cisco client split tunneling has to be made on the Cisco router.

There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"

Again I strongly recomend against this.
>MS PPTP VPN connection configured on my laptop.
Easy enough to bypass as Rob demonstrates above by simply un-checking Use Default gateway on remote network in the Microsoft VPN Dialer properties. However, given the below information in your PIX config:
ip address inside
ip local pool VPN_Pool10

Since you are using two different class C network subnets for inside and for VPN clients (as it should be), then if you un-check the option in the MS client, you will not be able to access anything on the inside of the PIX. You can see this from "C:\>route print" However, Microsoft plays nice (not secure, but nice) and let's the user overcome this by simply adding a route statement.
First, use IPCONFIG to see what IP address you get from the pool. Then, make some manual route changes in a DOS prompt:
C:\>route delete mask
C:\>route add mask <== my local LAN gateway
C:\>route add mask  <== my VPN client IP

Again, the ability for any user on their home network to simply manipulate the split-tunneling behavior, and to manipulate the routing tables is a HUGE security issue when using Microsoft PPTP VPN Dialer client.

Dilan77Author Commented:
Thanks Guys, think I'll leave it as is ;)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.