CISCO VPN Shuts down my internet connection.
When ever I connect to my Cisco VPN I loose internet connection. I have access to my Network but I loose my internet connection. This is actually an issue for my client but I have replicated the issue at my office.
Here is what I have.
Cisco 506PIX
Cisco VPN Client
On the Client VPN I have Allow Local LAN Checked.
Once connected to the VPN it is like DNS is broke. I can ping the IP address of the severs but not the NETBIOS names.
Here is my Cisco Config.
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password @@@@@@@@i encrypted
passwd %%%%%%%% encrypted
hostname @@@@@
domain-name @@@@@.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.31.0.0 255.255.255.0 172.10.12.0 255.255.255.0
access-list 100 permit ip 10.31.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any unreachable
access-list 120 permit icmp any any time-exceeded
access-list 120 permit tcp any host @@.@@.@@.@@1 eq smtp
access-list 120 permit tcp any host @@.@@.@@.@@2 eq pptp
access-list 120 permit gre any host @@.@@.@@.@@2
access-list 120 permit tcp any host @@.@@.@@.@@1 eq www
access-list 120 permit tcp @@.@@.@@.0 255.255.255.0 host @@.@@.@@.@@1 eq pop3
access-list 120 permit tcp @@.@@.@@.0 255.255.255.0 host @@.@@.@@.@@1 eq imap4
access-list 120 permit tcp any host @@.@@.@@.@@1 eq https
access-list @@@@@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 172.16.0.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap warnings
logging host inside 10.31.0.3
mtu outside 1500
mtu inside 1500
ip address outside @@.@@.@@.@@3 255.255.255.248
ip address inside 10.31.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 172.10.12.1-172.10.12.4
ip local pool IPSec-pool 172.10.12.5-172.10.12.9
ip local pool ippool 172.16.0.1-172.16.0.254
pdm location 172.10.12.0 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 @@.@@.@@.@@4
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) @@.@@.@@.@@1 10.31.0.3 netmask 255.255.255.255 0 0
static (inside,outside) @@.@@.@@.@@2 10.31.0.2 netmask 255.255.255.255 0 0
access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 @@.@@.@@.@@5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.0.0 255.255.255.0 inside
http 10.31.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 100
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup @@@@@ address-pool ippool
vpngroup @@@@@ dns-server 10.31.0.3
vpngroup @@@@@ default-domain @@@@@@@.com
vpngroup @@@@@ split-tunnel @@@@_splitTunnelAcl
vpngroup @@@@@ idle-time 1800
vpngroup @@@@@ password ********
vpngroup &&& address-pool ippool
vpngroup &&& split-tunnel kayon_splitTunnelAcl
vpngroup &&& idle-time 1800
vpngroup &&& password ********
telnet 172.16.0.0 255.255.255.0 inside
telnet 10.31.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:$$$$$$$$$$$
: end
Here is what I have.
Cisco 506PIX
Cisco VPN Client
On the Client VPN I have Allow Local LAN Checked.
Once connected to the VPN it is like DNS is broke. I can ping the IP address of the severs but not the NETBIOS names.
Here is my Cisco Config.
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password @@@@@@@@i encrypted
passwd %%%%%%%% encrypted
hostname @@@@@
domain-name @@@@@.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.31.0.0 255.255.255.0 172.10.12.0 255.255.255.0
access-list 100 permit ip 10.31.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any unreachable
access-list 120 permit icmp any any time-exceeded
access-list 120 permit tcp any host @@.@@.@@.@@1 eq smtp
access-list 120 permit tcp any host @@.@@.@@.@@2 eq pptp
access-list 120 permit gre any host @@.@@.@@.@@2
access-list 120 permit tcp any host @@.@@.@@.@@1 eq www
access-list 120 permit tcp @@.@@.@@.0 255.255.255.0 host @@.@@.@@.@@1 eq pop3
access-list 120 permit tcp @@.@@.@@.0 255.255.255.0 host @@.@@.@@.@@1 eq imap4
access-list 120 permit tcp any host @@.@@.@@.@@1 eq https
access-list @@@@@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 172.16.0.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap warnings
logging host inside 10.31.0.3
mtu outside 1500
mtu inside 1500
ip address outside @@.@@.@@.@@3 255.255.255.248
ip address inside 10.31.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 172.10.12.1-172.10.12.4
ip local pool IPSec-pool 172.10.12.5-172.10.12.9
ip local pool ippool 172.16.0.1-172.16.0.254
pdm location 172.10.12.0 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 @@.@@.@@.@@4
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) @@.@@.@@.@@1 10.31.0.3 netmask 255.255.255.255 0 0
static (inside,outside) @@.@@.@@.@@2 10.31.0.2 netmask 255.255.255.255 0 0
access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 @@.@@.@@.@@5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.0.0 255.255.255.0 inside
http 10.31.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 100
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup @@@@@ address-pool ippool
vpngroup @@@@@ dns-server 10.31.0.3
vpngroup @@@@@ default-domain @@@@@@@.com
vpngroup @@@@@ split-tunnel @@@@_splitTunnelAcl
vpngroup @@@@@ idle-time 1800
vpngroup @@@@@ password ********
vpngroup &&& address-pool ippool
vpngroup &&& split-tunnel kayon_splitTunnelAcl
vpngroup &&& idle-time 1800
vpngroup &&& password ********
telnet 172.16.0.0 255.255.255.0 inside
telnet 10.31.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:$$$$$$$$$$$
: end
ya this is a very common vpn problem-it can be overcome by using split tunnelling on the pix which means that you can use your local gateway on your router to access the internet however it is meant to be a security risk as it opens your company network to attacks if your internet is compromised
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok then so How do force the VPN to use the corporates internet?
Irmoore is that what your solution does?
I think I would prefer that if they get connected to the VPN to use the offices internet to get out. I should still be able to use DNS names correct? When connected I can not ping the computer names. I can ping their ips just not their names.
Irmoore is that what your solution does?
I think I would prefer that if they get connected to the VPN to use the offices internet to get out. I should still be able to use DNS names correct? When connected I can not ping the computer names. I can ping their ips just not their names.
If they are already connected to the internet at home, and just want to access the corp site for specific services, it would be better to just pass those service thru the VPN connection. That is the basis of split tunneling, only pass the traffic you need, and leave everything else local. If you add some parameters to the ACL for the split tunnel, it should not have a detrimental impact on the connections, and at the same time does not force additonal traffic thru the tunnel, all while keeping your end users securely locked away from the network at an "arms" distance...below would allow RDP and telnet thru the tunnel, but leave everything else local on the user network.
access-list @@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 172.10.12.0 255.255.255.0
access-list @@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list @@_splitTunnelAcl permit tcp 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0 eq 3389
access-list @@_splitTunnelAcl permit tcp 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0 eq 3389
access-list @@_splitTunnelAcl permit tcp 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0 eq telnet
access-list @@_splitTunnelAcl permit tcp 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0 eq telnet
access-list @@_splitTunnelAcl deny ip 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0
access-list @@_splitTunnelAcl deny ip 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0
access-list @@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 172.10.12.0 255.255.255.0
access-list @@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list @@_splitTunnelAcl permit tcp 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0 eq 3389
access-list @@_splitTunnelAcl permit tcp 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0 eq 3389
access-list @@_splitTunnelAcl permit tcp 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0 eq telnet
access-list @@_splitTunnelAcl permit tcp 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0 eq telnet
access-list @@_splitTunnelAcl deny ip 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0
access-list @@_splitTunnelAcl deny ip 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0
If you want users to use your Internet connection (and I'm not sure that you really want to), then you need to disable split-tunneling and set up "internet on a stick" as in this configuration example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
Having said that, I would recommend that if you want to control VPN users' internet access and force them through the same restrictions/policies that you have at work, then you might considet setting up a proxy server and force VPN users to use the internal Proxy server.
Else, if you want split-tunneling to work better, enable split-dns also.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
Having said that, I would recommend that if you want to control VPN users' internet access and force them through the same restrictions/policies that you have at work, then you might considet setting up a proxy server and force VPN users to use the internal Proxy server.
Else, if you want split-tunneling to work better, enable split-dns also.
ASKER
Are the 3389 (Terminal Services) and the telnet the ports needed for this to work or are you just using those as an example? I need a different Port open for an application and I also need file shares and general network application stuff like that. I have my users connect the Exchange Server using RPC or HTTPS. My consern is that sometimes these users are in house and I have my DNS Server with a Host (A) Record pointing to my exchange server so the RPC over HTTPS will work internally also.
Excuse the Rambeling but I am just starting to get into the use of ACLs and the whole concept of split Tunnelling is Greek to me.
Thank you all so much in advance for you help!
Excuse the Rambeling but I am just starting to get into the use of ACLs and the whole concept of split Tunnelling is Greek to me.
Thank you all so much in advance for you help!
ASKER
Wow totally new territory here.
Can you give me an example of the configuration your talking about. I like tdiops suggestion of keeping the users using their internet connection and just routing the traffic that is needed through the corp VPN.
Thanks again!
Can you give me an example of the configuration your talking about. I like tdiops suggestion of keeping the users using their internet connection and just routing the traffic that is needed through the corp VPN.
Thanks again!
My configuration exactly as I posted above will do just what you want with 2 lines of access-list for the split-tunnel acl. I don't think you can be port specific with the split-tunneling.
You can restrict what VPN users can access in several other ways, including Radius authentication with downloadable acls or a acl applied to the inside interface.
Keeping their normal Internet traffic on their own pipe keeps yours from being overloaded.
You can restrict what VPN users can access in several other ways, including Radius authentication with downloadable acls or a acl applied to the inside interface.
Keeping their normal Internet traffic on their own pipe keeps yours from being overloaded.
ASKER
One more question on that. Does that open up my corporate network to anything?
Not really. The VPN Client has a built in firewall and it is pretty secure for most business use. If you are a regulated industry like financial, health care, etc, then you might re-consider. Otherwise, I'd say the risk is minimal as long as end users are constantly reminded about safe surfing and their responsibilities as good corporate citizens while connected through the VPN. You don't want them to map a drive through the VPN then share the contents through eMule or anything like that...
ASKER
Sorry this is for real the last question. Do I need to use a different ACL #? Or should I use the same?
You can use whatever you want. Name/number whatever. Just remember to re-apply to the VPNGroup.
ASKER
What does that mean? Save it to Memory?
You can name the access list or you can number the access list. i.e.
access-list @@_splitTunnelAcl permit ip xxxxxxxx
OR:
access-list 100 permit ip xxxxxxxxxx
But whatever you call it, be sure to change the vpn group to match:
vpngroup &&& split-tunnel @@_splitTunnelAcl
OR:
vpngroup &&& split-tunnel 100
access-list @@_splitTunnelAcl permit ip xxxxxxxx
OR:
access-list 100 permit ip xxxxxxxxxx
But whatever you call it, be sure to change the vpn group to match:
vpngroup &&& split-tunnel @@_splitTunnelAcl
OR:
vpngroup &&& split-tunnel 100