Custom route not working

I am connected to a VPN (Cisco AnyConnect VPN Client) which gives me access to some hosts that I need, but also blocks others that I also need access to (e.g. my mail server). So basically I have two gateways:

192.168.6.1 - VPN gateway
192.168.1.1 - normal home connection gateway

I have a specific host that I need normal (non-VPN) access to, which resolves to 123.45.67.89.

I tried adding a persistent route to that host, but it doesn't seem to be taking effect - that host is still blocked when connected to the VPN, which means the VPN connection is still being used to contact that host.

I attached my shortened ROUTE PRINT as a code snippet. I don't have an IPv6 persistent route set up, but I don't think that should be being used for this connection.


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.116     20
          0.0.0.0          0.0.0.0      192.168.6.1    192.168.6.226     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
                             .... etc ....
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
     123.45.67.89    255.255.255.0      192.168.1.1       1
          0.0.0.0          0.0.0.0      192.168.6.1       5
===========================================================================

Open in new window

LVL 38
gr8gonzoConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tty2Commented:
123.45.67.89    255.255.255.0...
Must be
123.45.67.89    255.255.255.255
0
Todd GerbertIT ConsultantCommented:
I'm not familiar with the Cisco VPN client, but the Microsoft client has an option to use the default gateway on the remote network (which I turn off) - that way traffic destined for hosts on my work network goes out the VPN, but traffic for anything else goes out my normal home internet connection (I think this is called split-tunnelling in the Cisco client).
0
qbakiesCommented:
Split-tunneling must be enabled on the VPN device your are connecting to, otherwise all traffic is routed through the tunnel.
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

Istvan KalmarHead of IT Security Division Commented:
Hi,
Only Split tunneling allowing that you connect to internet when you connected via VPN!
0
surbabu140977Commented:
u cannot add a static route and get connected to that network via the vpn. Your vpn administrator must add this network for you and this should come to you directly once connected to vpn. So tell your admin to add this network into vpn encryption domain, disconnect and then connect again and check route print to verify if this route is coming to your desktop.

Remove the route that you have added.

Best,
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
surbabu140977Commented:
btw, also ask him (as suggested already by others) to enable split tunneling. You are not suppose to get 0.0.0.0 route via the vpn. It's very very bad config.

Best,
 
0
gr8gonzoConsultantAuthor Commented:
tty2 - Sorry, I hand-edited the IP address to mask the real one. I actually have 123.45.67.0 with a netmask of 255.255.255.0 as the persistent route.

Unfortunately, this isn't a small company where a VPN admin will make a change for just one person. The Cisco client has an option called "enable local LAN access" which I checked before trying this new route thing. It seems to allow me to browse my local network successfully, so I assumed that was the split tunneling. So I can access the local 192.168.1.x hosts while connected to the VPN, but the persistent route doesn't seem to work the same way.
0
surbabu140977Commented:
in vpn,  admin has to do the change, if you need access to something. User is stub, cannot do anything if admin doesn't provide. That's why vpn is secure, to prevent users doing anything.

If your admin doesn't do anything, forget it, u cannot do anything from client.

Best,
0
gr8gonzoConsultantAuthor Commented:
So the "Enable local LAN access" is not the same thing as split-tunneling?
0
qbakiesCommented:
0
gr8gonzoConsultantAuthor Commented:
Given that local LAN access works, do you think it could be possible to have some type of proxy server running on another PC on the LAN which forwards the traffic back and forth to these other non-VPN hosts? If so, any thoughts on a good (and hopefully free) proxy server for HTTP/HTTPS/POP3/SMTP ?
0
gr8gonzoConsultantAuthor Commented:
Question has been answered - yes, I can do that. I just tried a quick POP3 proxy. I downloaded SAWin32, which is meant to be a SpamAssassin POP3 proxy, but it comes with stunnel.exe, which basically acts as a proxy for a specific port. I set up a config file as attached, ran stunnel.exe on a separate PC on my local LAN, and then just switched my main PC to connect to it for mail. Worked great.

My stunnel.conf file:
taskbar = no
debug = 7
output = C:\path\to\logfile.txt
client = yes

[pop3s]
accept = 818
connect = my.mail.server:995
TIMEOUTclose = 0

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.