TestMonkey
asked on
Cisco SSL VPN (No Internet Browsing)
I finally have a number of my routers configured for SSL CPN (AnyConnect)
Im trying to figure out why the second I connect I cant use the internet anymore, cant browse etc, I know its working as I get on the local servers via remote desktop, shares etc
Is there a setting that Im missing
Im trying to figure out why the second I connect I cant use the internet anymore, cant browse etc, I know its working as I get on the local servers via remote desktop, shares etc
Is there a setting that Im missing
ASKER
Split tunneling? The IP address thing, help me understand that because PPTP works fine
ASKER
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
Can you explain this one better?
I dont understand the ACL rule, I know where to create them, but is it telling me to find out the network of each user (100s) and add them as an include or an exclude?
Can you explain this one better?
I dont understand the ACL rule, I know where to create them, but is it telling me to find out the network of each user (100s) and add them as an include or an exclude?
I will have to read the article, but normally you don't need to know the IP address of the users, you need to know what IP subnets you want to go over the VPN tunnel.
You let the home user keep their normal default gateway and then the VPN client will add the routes for your internal subnets to their route table.
You let the home user keep their normal default gateway and then the VPN client will add the routes for your internal subnets to their route table.
I could not find where you need to know the home users IP subnet. In the article where it show the 192.168.10.1 address on the home computer, that is not the home network that is the IP subnet for the VPN tunnel.
ASKER
Yeap I see that :)
very much so annoying
Id like users to be able to use the internet while connected, sad really that its this hard to figure out
very much so annoying
Id like users to be able to use the internet while connected, sad really that its this hard to figure out
The problem is how do you want them to use the Internet, meaning do you want them to use their own Internet connection (split tunneling) or use the company's Internet connection.
Using their own Internet connection means they won't "double dip" the company bandwidth, but it also means you have to trust that the employee's home computer is protected. If his home computer gets compromised, that can be used as a launching point into your corporate network. A few years back an employee of MS had their home computer compromised and it was used as a router into MS internal network.
Using the company's Internet connection reduces the possibility of the internal network from getting compromised, but that means the traffic for the web surfing employee is hitting the company's Internet connection twice.
Using their own Internet connection means they won't "double dip" the company bandwidth, but it also means you have to trust that the employee's home computer is protected. If his home computer gets compromised, that can be used as a launching point into your corporate network. A few years back an employee of MS had their home computer compromised and it was used as a router into MS internal network.
Using the company's Internet connection reduces the possibility of the internal network from getting compromised, but that means the traffic for the web surfing employee is hitting the company's Internet connection twice.
ASKER
ill do split tunneling, just need to understand how to configure it
The link you had above does a fairly good job of describing what you need to do. Just follow it.
ASKER
90% of those options are not in the cisco configuration professional :( thats why Im asking
What are you using as the VPN server? If you are running ASA 8.x then use ASMD or use CLI.
ASKER
Cisco Router and pic attached, I can only include or exclude ip/subnets
test.jpg
test.jpg
ASKER
Im not getting an option to add an ACL etc either
Which router and which IOS?
Here is an example configuring a 3640 for VPN and split tunneling:
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml
ASKER
I just figured it out, just need to add the corporate networks to the include list and everything works, net and everything (net is coming from local)
ASKER
For those doing the same with a Cisco Router and SSL VPN (Cisco Anyconnect):
1.) Under split tunnel just add the corporate network (ie if the lan on the router your connecting to is 1.1.1.1 use 1.1.1.0 by clicking Include Traffic then the IP along with subnet)
2.) You wont get DNS so just clock over to DNS and WINS then add the Primary DNS Server, wham all done
VERY simply
A second note that I ran into was anyconnect 2.4.0202 always claimed to have a Certificate issues, using anyconnect 2.3.2016 works flawlessly
1.) Under split tunnel just add the corporate network (ie if the lan on the router your connecting to is 1.1.1.1 use 1.1.1.0 by clicking Include Traffic then the IP along with subnet)
2.) You wont get DNS so just clock over to DNS and WINS then add the Primary DNS Server, wham all done
VERY simply
A second note that I ran into was anyconnect 2.4.0202 always claimed to have a Certificate issues, using anyconnect 2.3.2016 works flawlessly
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If your company policy allows you to do split tunneling, then you need to do that. Most company policies do NOT allow split tunneling, because it makes your home PC a entry point to your corporate network.