[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

CISCO VPN Shuts down my internet connection.

Posted on 2007-10-04
14
Medium Priority
?
1,252 Views
Last Modified: 2011-10-03
When ever I connect to my Cisco VPN I loose internet connection.  I have access to my Network but I loose my internet connection.  This is actually an issue for my client but I have replicated the issue at my office.

Here is what I have.

Cisco 506PIX
Cisco VPN Client
On the Client VPN I have Allow Local LAN Checked.

Once connected to the VPN it is like DNS is broke.  I can ping the IP address of the severs but not the NETBIOS names.

Here is my Cisco Config.
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password @@@@@@@@i encrypted
passwd %%%%%%%% encrypted
hostname @@@@@
domain-name @@@@@.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 10.31.0.0 255.255.255.0 172.10.12.0 255.255.255.0
access-list 100 permit ip 10.31.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any unreachable
access-list 120 permit icmp any any time-exceeded
access-list 120 permit tcp any host @@.@@.@@.@@1 eq smtp
access-list 120 permit tcp any host @@.@@.@@.@@2 eq pptp
access-list 120 permit gre any host @@.@@.@@.@@2
access-list 120 permit tcp any host @@.@@.@@.@@1 eq www
access-list 120 permit tcp @@.@@.@@.0 255.255.255.0 host @@.@@.@@.@@1 eq pop3
access-list 120 permit tcp @@.@@.@@.0 255.255.255.0 host @@.@@.@@.@@1 eq imap4
access-list 120 permit tcp any host @@.@@.@@.@@1 eq https
access-list @@@@@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any 172.16.0.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap warnings
logging host inside 10.31.0.3
mtu outside 1500
mtu inside 1500
ip address outside @@.@@.@@.@@3 255.255.255.248
ip address inside 10.31.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 172.10.12.1-172.10.12.4
ip local pool IPSec-pool 172.10.12.5-172.10.12.9
ip local pool ippool 172.16.0.1-172.16.0.254
pdm location 172.10.12.0 255.255.255.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 @@.@@.@@.@@4
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) @@.@@.@@.@@1 10.31.0.3 netmask 255.255.255.255 0 0
static (inside,outside) @@.@@.@@.@@2 10.31.0.2 netmask 255.255.255.255 0 0
access-group 120 in interface outside
route outside 0.0.0.0 0.0.0.0 @@.@@.@@.@@5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.0.0 255.255.255.0 inside
http 10.31.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 100
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup @@@@@ address-pool ippool
vpngroup @@@@@ dns-server 10.31.0.3
vpngroup @@@@@ default-domain @@@@@@@.com
vpngroup @@@@@ split-tunnel @@@@_splitTunnelAcl
vpngroup @@@@@ idle-time 1800
vpngroup @@@@@ password ********
vpngroup &&& address-pool ippool
vpngroup &&& split-tunnel kayon_splitTunnelAcl
vpngroup &&& idle-time 1800
vpngroup &&& password ********
telnet 172.16.0.0 255.255.255.0 inside
telnet 10.31.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:$$$$$$$$$$$$$$$$$$$$$$$$$
: end
0
Comment
Question by:Neadom Tucker
14 Comments
 
LVL 16

Expert Comment

by:poweruser32
ID: 20017310
ya this is a very common vpn problem-it can be overcome by using split tunnelling on the pix which means that you can use your local gateway on your router to access the internet however it is meant to be a security risk as it opens your company network to attacks if your internet is compromised
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 20017362
Take out the "any" here:
 access-list @@@@@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 any

no access-list @@@@@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 any
access-list @@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 172.10.12.0 255.255.255.0
access-list @@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 172.16.0.0 255.255.255.0
vpngroup @@@@@ split-tunnel @@@@_splitTunnelAcl

For NetBIOS, you need a WINS server on the inside for VPN clients to use.
0
 
LVL 6

Author Comment

by:Neadom Tucker
ID: 20019938
Ok then so How do force the VPN to use the corporates internet?

Irmoore is that what your solution does?

I think I would prefer that if they get connected to the VPN to use the offices internet to get out.  I should still be able to use DNS names correct?  When connected I can not ping the computer names.  I can ping their ips just not their names.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
LVL 2

Expert Comment

by:tdiops
ID: 20023326
If they are already connected to the internet at home, and just want to access the corp site for specific services, it would be better to just pass those service thru the VPN connection. That is the basis of split tunneling, only pass the traffic you need, and leave everything else local. If you add some parameters to the ACL for the split tunnel, it should not have a detrimental impact on the connections, and at the same time does not force additonal traffic thru the tunnel, all while keeping your end users securely locked away from the network at an "arms" distance...below would allow RDP and telnet thru the tunnel, but leave everything else local on the user network.

access-list @@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 172.10.12.0 255.255.255.0
access-list @@_splitTunnelAcl permit ip 10.31.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list @@_splitTunnelAcl permit tcp 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0 eq 3389
access-list @@_splitTunnelAcl permit tcp 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0 eq 3389
access-list @@_splitTunnelAcl permit tcp 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0 eq telnet
access-list @@_splitTunnelAcl permit tcp 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0 eq telnet
access-list @@_splitTunnelAcl deny ip 172.10.12.0 255.255.255.0 10.31.0.0 255.255.255.0
access-list @@_splitTunnelAcl deny ip 172.16.0.0 255.255.255.0 10.31.0.0 255.255.255.0



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20024192
If you want users to use your Internet connection (and I'm not sure that you really want to), then you need to disable split-tunneling and set up "internet on a stick" as in this configuration example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

Having said that, I would recommend that if you want to control VPN users' internet access and force them through the same restrictions/policies that you have at work, then you might considet setting up a proxy server and force VPN users to use the internal Proxy server.

Else, if you want split-tunneling to work better, enable split-dns also.
0
 
LVL 6

Author Comment

by:Neadom Tucker
ID: 20024211
Are the 3389 (Terminal Services) and the telnet the ports needed for this to work or are you just using those as an example?  I need a different Port open for an application and I also need file shares and general network application stuff like that.  I have my users connect the Exchange Server using RPC or HTTPS.  My consern is that sometimes these users are in house and I have my DNS Server with a Host (A) Record pointing to my exchange server so the RPC over HTTPS will work internally also.

Excuse the Rambeling but I am just starting to get into the use of ACLs and the whole concept of split Tunnelling is Greek to me.

Thank you all so much in advance for you help!
0
 
LVL 6

Author Comment

by:Neadom Tucker
ID: 20024243
Wow totally new territory here.

Can you give me an example of the configuration your talking about.  I like tdiops suggestion of keeping the users using their internet connection and just routing the traffic that is needed through the corp VPN.

Thanks again!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20024310
My configuration exactly as I posted above will do just what you want with 2 lines of access-list for the split-tunnel acl. I don't think you can be port specific with the split-tunneling.
You can restrict what VPN users can access in several other ways, including Radius authentication with downloadable acls or a acl applied to the inside interface.
Keeping their normal Internet traffic on their own pipe keeps yours from being overloaded.
0
 
LVL 6

Author Comment

by:Neadom Tucker
ID: 20024338
One more question on that.  Does that open up my corporate network to anything?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20024402
Not really. The VPN Client has a built in firewall and it is pretty secure for most business use. If you are a regulated industry like financial, health care, etc, then you might re-consider. Otherwise, I'd say the risk is minimal as long as end users are constantly reminded about safe surfing and their responsibilities as good corporate citizens while connected through the VPN. You don't want them to map a drive through the VPN then share the contents through eMule or anything like that...
0
 
LVL 6

Author Comment

by:Neadom Tucker
ID: 20024437
Sorry this is for real the last question.  Do I need to use a different ACL #? Or should I use the same?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20024487
You can use whatever you want. Name/number whatever. Just remember to re-apply to the VPNGroup.
0
 
LVL 6

Author Comment

by:Neadom Tucker
ID: 20025460
What does that mean?  Save it to Memory?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20025693
You can name the access list or you can number the access list. i.e.

access-list @@_splitTunnelAcl permit ip xxxxxxxx

OR:
access-list 100 permit ip xxxxxxxxxx

But whatever you call it, be sure to change the vpn group to match:

vpngroup &&& split-tunnel @@_splitTunnelAcl
  OR:
vpngroup &&& split-tunnel 100

0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month19 days, 20 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question