Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 893
  • Last Modified:

Unable to Connect to Website over VPN

We have a bit of a puzzler.

We have an end user, working remotely from home, who is unable to connect to a particular website when she is on our VPN.

The user system specs are: Windows XP SP 3, IE 8. She is on Cisco VPN Client 5.0.02.0090.

She can get to the website when she is not on the VPN. We were able to get to the website over our normal network connection, and over the VPN from our corporate location.

Any suggestions? (Other than having the user access the website off of the VPN?)
0
KIP Help
Asked:
KIP Help
  • 7
  • 5
  • 2
  • +3
2 Solutions
 
fa2lerrorCommented:
I have a PIX at a few clients locations. external web access does not work when using the VPN. Sorry.
0
 
RPPreacherCommented:
Can she ping the website by name?
Can she ping the website by IP?
Is it your web site?
0
 
RPPreacherCommented:
"external web access does not work when using the VPN. Sorry."

What???

Split tunneling.  Easy cheesy.

Buzz.  Thanks for playing.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Britt ThompsonSr. Systems EngineerCommented:
Depending on how the VPN is configured she may be able to get internet access just by checking the "allow local lan access" checkbox within the configuration of the VPN profile under the transport tab

Otherwise, RPPreacher is correct you'll need a split tunnel configured on the device.
0
 
RPPreacherCommented:
The way the question is phrased ("a particular website") reads like "she can access every web site EXCEPT 1".

The first thing to determine is if this is a DNS or routing issue.

THUS

Can she ping the website by name?
Can she ping the website by IP?
Is it your web site?
0
 
KIP HelpAuthor Commented:
@ fa2lerror: She is able to access other websites on the VPN, just not this particular site.

@RPPreacher: She is unable to ping the website by name or by IP. Interestingly enough, I was just speaking with her and testing the website again. Here in the office (because we can connect), we discovered that the website redirects to a secured site. The interesting part is that she cannot connect to the secured site either, however, she can ping the secured site via name and IP.

The secured site that is redirected to has an entirely different domain name than the original site.

This is a third-party site and not our corporate website.
0
 
RPPreacherCommented:
Do you do URL filtering on the PIX?
Have you checked her PC for viruses/malware?
0
 
RPPreacherCommented:
Is the IP of the redirected site anything close to your VPN pool/internal IP range or any ACL on the PIX defined as "interesting traffic"?

WAIT!!!!

Does she have a pop-up blocker?  Either IE or google tool bar or some other such nonsense?  They dislike redirects.
0
 
Britt ThompsonSr. Systems EngineerCommented:
Ah...I failed to read the entire question myself.

Does the VPN subnet have access to ports other than 80 from outside the network? Sounds like the site redirects to port 443 or some other secure port that's being blocked by the device.
0
 
KIP HelpAuthor Commented:
I'll need to pass the URL filtering question onto our network admins, I don't handle that portion. (Though if it's any help with the brain storming, we do have Websense.)

However, her PC has not been checked for viruses, nor for pop-up blockers. I'll look into that one.
0
 
fa2lerrorCommented:
I am not a Cisco admin and rely on others for my programming. all other vendors do allow "split tunnelling". the few clients that run cisco and their admins claim the firewall does not support split tunnelling thus my answer. it could be that the versions of our PIX501 and IOS are our issues and limiting this feature set. I dont really know.
again in our setups, split tunnelling is not available nor can I access remote office subnets when vpn'd into main network.
0
 
RPPreacherCommented:
"split tunnelling is not available"

Definitely not a limitation of the PIX nor relevant to the question though.
0
 
Ehab SalemCommented:
Is she getting the Websense blockpage or page cannot be displayed or what?
0
 
KIP HelpAuthor Commented:
She is not getting a blocked page, but a "page cannot be displayed" error.
0
 
shahyanCommented:
I am having the same issue with one of my remote users who is trying to access our website over the tunnel.  The one similarity I see is that we do a redirect from  a non-secure to a secure (https) location as well.  Not sure if that is the culprit here.
0
 
KIP HelpAuthor Commented:
We had the problem temporarily resolved: we flushed her DNS cache and she connected fine. However, the problem is recurring again. Is there anyway to force the PC to continually flush the DNS cache instead of doing it manually?
0
 
RPPreacherCommented:
that's weird.  Is it resolving differently internally than externally.  This happens sometimes with internal sites.

To answer your question, you could

(1)  Create a bat file and a scheduled task
(2)  Create a bat file and a shortcut that runs on log on
(3)  Edit the hosts file to include an entry for the problem site (so it doesn't rely on DNS)
0
 
KIP HelpAuthor Commented:
The issue has been resolved; the problem appeared to have something to do with her ISP assigning the same subnet and IP addresses as our VPN does. I'm not technical enough on the networking end to explain or even understand what happened, but I'm splitting the points for the suggestions and prompts along the way,.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 7
  • 5
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now