Link to home
Start Free TrialLog in
Avatar of DennisPost
DennisPostFlag for Netherlands

asked on

Is VPN Split tunneling not possible with PIX 501 ?????

Hi,

We used to have a 3Com OfficeConnect as router/firewall/VPN server.
Clients could logon to their Pcs (Windows  XP Pro SP2) at home and and use "dial in" to create
a VPN connection to our server and load their profile. To use internet we could use either the local
connection or remote internet connection by selecting / deselecting "Use remote default gateway on remote network" in the WinXP connection properties.

Now we have a Cisco PIX 501. (The 3Com OficeConnect died on us.)
We can logon just like the previous scenario, but have no internet what so ever (Unless we use RDP).
Cisco's TAC insist that Windows XP Pro cannot do Split Tunneling.

If this is the case, then why did it work with the 3Com OfficeConnect?
Could this somehow have to do with the lack of Domain name in the current VPN configuration?

Here is the explanation from Cisco:
"
I have done further research and have consulted my Tech-Lead on the same. PPTP and L2TP protocls will not support split-tunneling, hence tunnel traffic and internet will not work simultaneously.  When the PPTP / L2TP tunnel comes up on the PC, the PPTP/l2tp route is installed with a higher metric than the previous default, so we lose Internet connectivity.
 
There is a work-around though but it is not scalable. It is only applicable if there are limited numbers of clients connecting. If we assume that the ip pool is x.x.x.1 and the network behind the firewall is y.y.y.0 and the ISP next hop is z.z.z.1, then we'll have to do the following on the client machine:

route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 z.z.z.1 metric 1
route add y.y.y.0 mask 255.255.255.0 x.x.x.1 metric 1

Since, the metric is 1 hence both internet and tunneling will work. But catch is x.x.x.1 ip will not remain same and will change each time the client connects and hence it is not scalable. In case if you want want both the features ie, VPN and internet connectivity, I would suggest that we user VPN Client feature, like Cisco VPN Client, which is capable of handling split-tunneling. Uncheck "Use default gateway on remote network" under properties for the TCP/IP under General/advanced.
"
Any help would be apprciated.
Thanks.
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

The PIX can do split-tunneling so if you configure it then the VPN client can use their local internet connection to access the internet.

However to access the internet at the remote location you are vpning to is not supported on the PIX501. This is because the packets coming into the outside interface cannot be re-routed back out the same interface. In order to do this you need IOS (operating system) at least version 7.0 which is only supported on the PIX515 and above and the ASA appliances.
An alternative is to install and use a proxy server at the remote location.
Avatar of Brugh
Brugh

Yea, basically you have 2 routes of 0.0.0.0 MASK 0.0.0.0 configured.  XP is going to choose the route with teh lowest metric to forward all packets through, except those packets that match an IP on the local subnet.  

Do this for us.
copy and paste an Ipconfig /all both before and after establishing the VPN connection.
This will help identify what's goign on.

I can't recall ever having a problem with this and a pIX, but, if memory serves, most times people have PPTP forwarded through the PIX to a Windows RAS server to handle the VPN.

 - Brugh



I should have added that the split-tunneling is part of the IPSEC VPN configuration which is used by the separate Cisco VPN client. The VPN client can be configured to connect before login so it can support the vpn client machine logging onto a remote domain.
Avatar of Les Moore
This is an issue inherent to Windows PPTP client. Cisco VPN client certainly does split-tunneling easy enough.
Although it is not recommended for an IPSEC VPN tunnel, for PPTP you can use a block of the same IP subnet as the inside of the PIX for only the VPDN clients. This way, the client just un-checks use default gateway on remote network option in the dialer properties.
Avatar of DennisPost

ASKER

Thanks for reacting guys!

grblades:
In order for the WinXP Client to access the remote network. "User default gateway on remote network"must be selected. If not then the L2TP VPN can be astablished, but the client cannot see the remote network. Internet is available on the client when this is not selected.
Ideally, the internet connectivity should be via the client and not the remote network.
I would like to avoind Cisco VPN Client software if possible, to allow users to login and connect the VPN
when the logon to windows.

Brugh:
I'll get back to you tomorrow with the IPConfig /all info.
I'm at work now and don't have an external line readily accessible.

Cheers
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
lrmoore:
We are using L2TP / IPSec. Does that change anything?

I'm off now, I'll check in again tomorrow.
Here is the IPConfig / ALL output.
I have to connect to the net using a modem. (PPP adapter Internet:)

C:\>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : PCmob01
        Primary Dns Suffix  . . . . . . . : TestDomain
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : TestDomain

Ethernet adapter LAN:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC
        Physical Address. . . . . . . . . : 00-A0-D1-B1-2F-60

PPP adapter Internet:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 217.166.250.77
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 217.166.250.77
        DNS Servers . . . . . . . . . . . : 194.151.228.18
                                            194.151.228.34
        NetBIOS over Tcpip. . . . . . . . : Disabled

PPP adapter L2TP PIX:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.2.12
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.2.12
        DNS Servers . . . . . . . . . . . : 192.168.1.111

C:\>
I think it would still work if you use a block of 192.168.1.x IP's for the VPN pool.
Just be sure that there is no chance of IP address conflict and if you have a dhcp server, be sure to exclude the range of IP's used for VPN.
>>I think it would still work if you use a block of 192.168.1.x IP's for the VPN pool.
Where can I do this?

>>Just be sure that there is no chance of IP address conflict and if you have a dhcp server, be sure to exclude the range of IP's used for VPN.
I thought that VPN subnets could not be the same as the LAN subnet. ????

My knowledge of configuring Cisco routers is limited at best. I need a bit of hand holding with this.
Could you please explain in laymans terms.

Thanks

If you post your current config, I can be more precise in what you need to change on the PIX.
Generally, it might go like this:
\\-- establish the pool of IP's. This is the range that needs to be excluded from DHCP scope
ip local pool L2TPPOOL 192.168.1.241-192.168.1.254

\\-- modify nat0 access list. use "any" --> pool
access-list inside_outbound_nat0_acl permit ip any 192.168.1.240 255.255.255.240

\\--modify the vpdn group to issue IP addresses from the new pool
vpdn group <GROUP> client configuration address local L2TPPOOL

Here's my configuration:

Result of firewall command: "sh run"
 
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password O<Password> encrypted
passwd <Password> encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit tcp any interface outside eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.2.0 255.255.255.224
access-list l2tp permit udp host <OutSide> any eq 1701
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTPUsers1 192.168.2.11-192.168.2.19 mask 255.255.255.0
pdm location 192.168.1.27 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.224 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.27 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set L2TP esp-des esp-md5-hmac
crypto ipsec transform-set L2TP mode transport
crypto dynamic-map outside_dyn_map 20 match address l2tp
crypto dynamic-map outside_dyn_map 20 set transform-set L2TP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group L2TP accept dialin l2tp
vpdn group L2TP ppp authentication chap
vpdn group L2TP ppp authentication mschap
vpdn group L2TP client configuration address local PPTPUsers1
vpdn group L2TP client configuration dns 192.168.1.111
vpdn group L2TP client authentication local
vpdn group L2TP l2tp tunnel hello 60
vpdn group PPTP accept dialin pptp
vpdn group PPTP ppp authentication chap
vpdn group PPTP ppp authentication mschap
vpdn group PPTP ppp encryption mppe auto required
vpdn group PPTP client configuration address local PPTPUsers1
vpdn group PPTP client configuration dns 192.168.1.111
vpdn group PPTP pptp echo 60
vpdn group PPTP client authentication local
vpdn username <User> password *********
vpdn enable outside
username <User> password <Password> encrypted privilege 2
terminal width 80
Cryptochecksum:<CheckSum>
: end
Copy/paste this into the Command line tool | multiple line command window

no vpdn enable outside
ip local pool L2TPPOOL 192.168.1.241-192.168.1.254
access-list inside_outbound_nat0_acl permit ip any 192.168.1.240 255.255.255.240
vpdn group L2TP client configuration address local L2TPPOOL
vpdn group PPTP client configuration address local L2TPPOOL
no crypto dynamic-map outside_dyn_map 20 match address l2tp
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.240 255.255.255.240
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
vpdn enable outside
Copy / Paste / Run, no problem.

Can no long connect using L2TP. Error 792 Security negotiation time out.
PPTP Connects but still uses the original IP Pool 192.168.2.x


Put this back and see if it makes a difference

crypto dynamic-map outside_dyn_map 20 match address l2tp
crypto map outside_map interface outside


Ok. I can connect again but am still getting a 192.168.2.x IP.
No internet available.
Is there any thing I can change on the WnXP client to get this working?