Is VPN Split tunneling not possible with PIX 501 ?????
Posted on 2007-10-17
We used to have a 3Com OfficeConnect as router/firewall/VPN server.
Clients could logon to their Pcs (Windows XP Pro SP2) at home and and use "dial in" to create
a VPN connection to our server and load their profile. To use internet we could use either the local
connection or remote internet connection by selecting / deselecting "Use remote default gateway on remote network" in the WinXP connection properties.
Now we have a Cisco PIX 501. (The 3Com OficeConnect died on us.)
We can logon just like the previous scenario, but have no internet what so ever (Unless we use RDP).
Cisco's TAC insist that Windows XP Pro cannot do Split Tunneling.
If this is the case, then why did it work with the 3Com OfficeConnect?
Could this somehow have to do with the lack of Domain name in the current VPN configuration?
Here is the explanation from Cisco:
I have done further research and have consulted my Tech-Lead on the same. PPTP and L2TP protocls will not support split-tunneling, hence tunnel traffic and internet will not work simultaneously. When the PPTP / L2TP tunnel comes up on the PC, the PPTP/l2tp route is installed with a higher metric than the previous default, so we lose Internet connectivity.
There is a work-around though but it is not scalable. It is only applicable if there are limited numbers of clients connecting. If we assume that the ip pool is x.x.x.1 and the network behind the firewall is y.y.y.0 and the ISP next hop is z.z.z.1, then we'll have to do the following on the client machine:
route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 z.z.z.1 metric 1
route add y.y.y.0 mask 255.255.255.0 x.x.x.1 metric 1
Since, the metric is 1 hence both internet and tunneling will work. But catch is x.x.x.1 ip will not remain same and will change each time the client connects and hence it is not scalable. In case if you want want both the features ie, VPN and internet connectivity, I would suggest that we user VPN Client feature, like Cisco VPN Client, which is capable of handling split-tunneling. Uncheck "Use default gateway on remote network" under properties for the TCP/IP under General/advanced.
Any help would be apprciated.