CISCO VPN Shuts down my internet connection.

Posted on 2007-10-04
Last Modified: 2011-10-03
When ever I connect to my Cisco VPN I loose internet connection.  I have access to my Network but I loose my internet connection.  This is actually an issue for my client but I have replicated the issue at my office.

Here is what I have.

Cisco 506PIX
Cisco VPN Client
On the Client VPN I have Allow Local LAN Checked.

Once connected to the VPN it is like DNS is broke.  I can ping the IP address of the severs but not the NETBIOS names.

Here is my Cisco Config.
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password @@@@@@@@i encrypted
passwd %%%%%%%% encrypted
hostname @@@@@
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 100 permit ip
access-list 100 permit ip
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any unreachable
access-list 120 permit icmp any any time-exceeded
access-list 120 permit tcp any host @@.@@.@@.@@1 eq smtp
access-list 120 permit tcp any host @@.@@.@@.@@2 eq pptp
access-list 120 permit gre any host @@.@@.@@.@@2
access-list 120 permit tcp any host @@.@@.@@.@@1 eq www
access-list 120 permit tcp @@.@@.@@.0 host @@.@@.@@.@@1 eq pop3
access-list 120 permit tcp @@.@@.@@.0 host @@.@@.@@.@@1 eq imap4
access-list 120 permit tcp any host @@.@@.@@.@@1 eq https
access-list @@@@@_splitTunnelAcl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap warnings
logging host inside
mtu outside 1500
mtu inside 1500
ip address outside @@.@@.@@.@@3
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool
ip local pool IPSec-pool
ip local pool ippool
pdm location outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 @@.@@.@@.@@4
nat (inside) 0 access-list 100
nat (inside) 1 0 0
static (inside,outside) @@.@@.@@.@@1 netmask 0 0
static (inside,outside) @@.@@.@@.@@2 netmask 0 0
access-group 120 in interface outside
route outside @@.@@.@@.@@5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 100
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup @@@@@ address-pool ippool
vpngroup @@@@@ dns-server
vpngroup @@@@@ default-domain
vpngroup @@@@@ split-tunnel @@@@_splitTunnelAcl
vpngroup @@@@@ idle-time 1800
vpngroup @@@@@ password ********
vpngroup &&& address-pool ippool
vpngroup &&& split-tunnel kayon_splitTunnelAcl
vpngroup &&& idle-time 1800
vpngroup &&& password ********
telnet inside
telnet inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
: end
Question by:Neadom Tucker
    LVL 16

    Expert Comment

    ya this is a very common vpn problem-it can be overcome by using split tunnelling on the pix which means that you can use your local gateway on your router to access the internet however it is meant to be a security risk as it opens your company network to attacks if your internet is compromised
    LVL 79

    Accepted Solution

    Take out the "any" here:
     access-list @@@@@_splitTunnelAcl permit ip any

    no access-list @@@@@_splitTunnelAcl permit ip any
    access-list @@_splitTunnelAcl permit ip
    access-list @@_splitTunnelAcl permit ip
    vpngroup @@@@@ split-tunnel @@@@_splitTunnelAcl

    For NetBIOS, you need a WINS server on the inside for VPN clients to use.
    LVL 6

    Author Comment

    by:Neadom Tucker
    Ok then so How do force the VPN to use the corporates internet?

    Irmoore is that what your solution does?

    I think I would prefer that if they get connected to the VPN to use the offices internet to get out.  I should still be able to use DNS names correct?  When connected I can not ping the computer names.  I can ping their ips just not their names.
    LVL 2

    Expert Comment

    If they are already connected to the internet at home, and just want to access the corp site for specific services, it would be better to just pass those service thru the VPN connection. That is the basis of split tunneling, only pass the traffic you need, and leave everything else local. If you add some parameters to the ACL for the split tunnel, it should not have a detrimental impact on the connections, and at the same time does not force additonal traffic thru the tunnel, all while keeping your end users securely locked away from the network at an "arms" distance...below would allow RDP and telnet thru the tunnel, but leave everything else local on the user network.

    access-list @@_splitTunnelAcl permit ip
    access-list @@_splitTunnelAcl permit ip
    access-list @@_splitTunnelAcl permit tcp eq 3389
    access-list @@_splitTunnelAcl permit tcp eq 3389
    access-list @@_splitTunnelAcl permit tcp eq telnet
    access-list @@_splitTunnelAcl permit tcp eq telnet
    access-list @@_splitTunnelAcl deny ip
    access-list @@_splitTunnelAcl deny ip

    LVL 79

    Expert Comment

    If you want users to use your Internet connection (and I'm not sure that you really want to), then you need to disable split-tunneling and set up "internet on a stick" as in this configuration example:

    Having said that, I would recommend that if you want to control VPN users' internet access and force them through the same restrictions/policies that you have at work, then you might considet setting up a proxy server and force VPN users to use the internal Proxy server.

    Else, if you want split-tunneling to work better, enable split-dns also.
    LVL 6

    Author Comment

    by:Neadom Tucker
    Are the 3389 (Terminal Services) and the telnet the ports needed for this to work or are you just using those as an example?  I need a different Port open for an application and I also need file shares and general network application stuff like that.  I have my users connect the Exchange Server using RPC or HTTPS.  My consern is that sometimes these users are in house and I have my DNS Server with a Host (A) Record pointing to my exchange server so the RPC over HTTPS will work internally also.

    Excuse the Rambeling but I am just starting to get into the use of ACLs and the whole concept of split Tunnelling is Greek to me.

    Thank you all so much in advance for you help!
    LVL 6

    Author Comment

    by:Neadom Tucker
    Wow totally new territory here.

    Can you give me an example of the configuration your talking about.  I like tdiops suggestion of keeping the users using their internet connection and just routing the traffic that is needed through the corp VPN.

    Thanks again!
    LVL 79

    Expert Comment

    My configuration exactly as I posted above will do just what you want with 2 lines of access-list for the split-tunnel acl. I don't think you can be port specific with the split-tunneling.
    You can restrict what VPN users can access in several other ways, including Radius authentication with downloadable acls or a acl applied to the inside interface.
    Keeping their normal Internet traffic on their own pipe keeps yours from being overloaded.
    LVL 6

    Author Comment

    by:Neadom Tucker
    One more question on that.  Does that open up my corporate network to anything?
    LVL 79

    Expert Comment

    Not really. The VPN Client has a built in firewall and it is pretty secure for most business use. If you are a regulated industry like financial, health care, etc, then you might re-consider. Otherwise, I'd say the risk is minimal as long as end users are constantly reminded about safe surfing and their responsibilities as good corporate citizens while connected through the VPN. You don't want them to map a drive through the VPN then share the contents through eMule or anything like that...
    LVL 6

    Author Comment

    by:Neadom Tucker
    Sorry this is for real the last question.  Do I need to use a different ACL #? Or should I use the same?
    LVL 79

    Expert Comment

    You can use whatever you want. Name/number whatever. Just remember to re-apply to the VPNGroup.
    LVL 6

    Author Comment

    by:Neadom Tucker
    What does that mean?  Save it to Memory?
    LVL 79

    Expert Comment

    You can name the access list or you can number the access list. i.e.

    access-list @@_splitTunnelAcl permit ip xxxxxxxx

    access-list 100 permit ip xxxxxxxxxx

    But whatever you call it, be sure to change the vpn group to match:

    vpngroup &&& split-tunnel @@_splitTunnelAcl
    vpngroup &&& split-tunnel 100


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now