[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 657
  • Last Modified:

Cannot connect to Internet whilst on Cisco VPN

Hello,

I have a cisco VPN client and I connect through that to a company VPN which works fine.  The issue is that once connected I cannot access my mail or access the internet.  This is on XP Professional.

Now I tried:
1) open up "Network Connections"
2) right click on the VPN connection (it is connected at this point) and select Properties
3) select "Internet Protocol (TCP / IP)" then properties
4) click "Advanced

I cannot see the "default gateway..." checkbox.  I do however have a default gateway text box as per the attached screenshot.

Thanks :)

Michael.
image.bmp
0
MichaelT_
Asked:
MichaelT_
  • 6
  • 5
  • 5
  • +2
1 Solution
 
raiden69Commented:
Hi

Can you ping the mail server?
is all your settings correct? (ie prox settings/vpn settings?)
0
 
AngelGabrielCommented:
I have a feeling that all you rinternet is now being passed to the VPN, and the sys admin has either disabled relaying internet for outside people, or, your usual in office policies regarding internet are kicking in.

You can find this out by disconnecting from the VPN, and then do a traceroute to google. Make note of the servers it uses

Then, connect to the VPN, and do the traceroute again. If the route has changed, then your answer is that the VPN configuration does not allow you to continue to use your internet connection for browsing the web.

Reason, your default route or gateway has been changed by the VPN, which is normal behaviour. You may have to get your system admin on this one.
0
 
Istvan KalmarHead of IT Security Division Commented:
could you send me the statistic screenshoot?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
MichaelT_Author Commented:
I am less concerned about the mail as the internet :)  When connected to the VPN I cannot ping google.com.  I am not using any proxy settings to connect through to the internet normally and VPN settings I am using TCP on port 80 as the transport protocol.  If I change it to UDP then the result is the same.

Thanks for your quick response.

Michael.
0
 
memo_tntCommented:
hi

is your VPN pool network same like your current pc network subnet
i mean:
when you connect through VPN what IP you get?
if same as your LAN IPs, then you need to change one of them different than the other
..
if this is not the issue

more over, can you post your configuration ,, removing all passwords ..
may something in your configuration ...
0
 
raiden69Commented:
Hi

Since you mention that the "Use default gateway on remote network" option is missing.This mght help.
http://diaryproducts.net/about/operating_systems/windows/enable_disable_default_gateway_vpn_windows
0
 
MichaelT_Author Commented:
AngelGabriel,

Thanks for your reply.  Unfortunately when I do a tracert to google.com when connected to the VPN is returns "Unable to resolve target system name google.com", doing it when disconnected from the VPN works as expected.

Ikalmar, what statistics are you after exactly? I would definately be happy to post them if they will help :)

memo_tnt when I am connected to the VPN and I do a ipconfig /all the "Local Area Connection 2" results in an IP address of 172.16.x.xx, the Wireless Connection IP is 192.168.0.2 and without the VPN connection the "Local Area Connection 2" is not connected (which is expected) and the "Wireless Connection" has the same IP address assigned.

I am using Cisco Systems VPN Client Version 4.8.0.1.0300, the connection has the following details (some are masked for privacy)
Connection Entry: group5
Description: XYZ VPN
Host: 12.40.xxx.xxx
Group Authentication
Name: group5
Password: xxxxxx

Transport
Enable Tranparent Tunneling (checked)
IPSec over TCP on Port 80

Allow Local LAN Access (checked)
Peer response timeout [seconds]: 90

raiden69, thanks for the article although I am not sure about how to go about cloning the VPN connection.
Sorry if I haven't been clear on anything, networking is not my forte :) Thanks for all your prompt replies so far, I appreciate it :)
0
 
MichaelT_Author Commented:
Hmm just looking even more, found the "Statistics" dialog (Ikalmar is that what you were after) and although I specify to allow local LAN access, in the Tunnel details "Local LAN" is disabled? I have attached both the tunnel details and the route details to this post for more information.
tunnel-details.bmp
route-details.bmp
0
 
Istvan KalmarHead of IT Security Division Commented:
It shows the VPNserver give you default route, so you not able to reach the local lan, tthe internet, only the other side that the VPN!

0
 
MichaelT_Author Commented:
OK, could this be a setting that can be changed by the system administrator on the VPN server side?
0
 
Istvan KalmarHead of IT Security Division Commented:
Hello you not able to change it, only the VPN server administrator able to do it!

Best regards,
Istvan
0
 
AngelGabrielCommented:
Thanks for your reply.  Unfortunately when I do a tracert to google.com when connected to the VPN is returns "Unable to resolve target system name google.com", doing it when disconnected from the VPN works as expected.

Sounds like a DNS issue -- unable to resolve target system

I'm going to assume the following.
You have a new route given to you because you've connected to the VPN
Now you can't get to your local DNS server -- but you can get to your company DNS server, or the one pushed/configured for the VPN
The DNS server in use does not resolve for the internet, probably just in house servers
No DNS, no internet *no quite true, but I don't see you memorising IP addresses to all your favorite websites!*


Disconnect from the VPN -- lookup your DNS server IP
Connect to the VPN
Do a traceroute to the IP you got from step one
If it doesn't worj, you've found your problem -- If it DOES work
check the route it took, it should use your router as it's second hop -- if not, again we found the problem
0
 
Istvan KalmarHead of IT Security Division Commented:
hi AngelGabriel!

It is not DNS problem, it will newer working till the system administrator not enabling the internet via VPN, or split tunneling which means the client connected to vpn reach all address that he want on local gw, only the remote site address tunneled!

Best regards,
Istvan
A CIsco VPN adminsitrator....
0
 
AngelGabrielCommented:
ikalmar -- I'm an not suggesting that it is a DNS problem -- I am suggesting that it is a routing problem.

The quickest way to find that out is to attempt to contact a third party system. In this case I used the DNS server as a point of reference, some ISP's do not have a DNS server on the same subnet, AND you can also reach those DNS servers via a diffrent ISP altogether (demon in the UK is one such ISP)

So, the ability to reach it either via IP address, and the route taken, with and without VPN, would have provided me with enough information to determine where things are going wrong, and from there, we can advise Michael what to do next.
0
 
Istvan KalmarHead of IT Security Division Commented:
HI,

As you see the CIsco VPN concentrator give always default gateway, (0.0.0.0) it gives more security to company, becouse all packets tunneled, so the remote client not able to do anything, only that the system administrator enabled!
0
 
AngelGabrielCommented:
ikalmar -- OHHHHH!!!!!! Well, if the default gateway is forced to be 0.0.0.0, that means it's by design!!! I understand what you mean now!

Michael -- sorry!!! I was thinking under the assumption that you are supposed to be able to access the internet AND the vpn at the same time. It seems that you should not be able to do this - get back to your system admin, and here what s/he has to say about it :)
0
 
MichaelT_Author Commented:
OK thanks guys, so it's a config issue on the system admin side and nothing that I can do, that's a bummer. I will chase that up and see what they can do.

Thanks for all your help :)
0
 
MichaelT_Author Commented:
Thanks for your help :)
0
 
AngelGabrielCommented:
Well, there is something you *CAN* do, but i think it's outside the scope of this question. And points are already assigned. If you ask another question post the link to it here
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 6
  • 5
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now