[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 881
  • Last Modified:

Custom route not working

I am connected to a VPN (Cisco AnyConnect VPN Client) which gives me access to some hosts that I need, but also blocks others that I also need access to (e.g. my mail server). So basically I have two gateways:

192.168.6.1 - VPN gateway
192.168.1.1 - normal home connection gateway

I have a specific host that I need normal (non-VPN) access to, which resolves to 123.45.67.89.

I tried adding a persistent route to that host, but it doesn't seem to be taking effect - that host is still blocked when connected to the VPN, which means the VPN connection is still being used to contact that host.

I attached my shortened ROUTE PRINT as a code snippet. I don't have an IPv6 persistent route set up, but I don't think that should be being used for this connection.


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.116     20
          0.0.0.0          0.0.0.0      192.168.6.1    192.168.6.226     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
                             .... etc ....
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
     123.45.67.89    255.255.255.0      192.168.1.1       1
          0.0.0.0          0.0.0.0      192.168.6.1       5
===========================================================================

Open in new window

0
gr8gonzo
Asked:
gr8gonzo
  • 4
  • 3
  • 2
  • +3
2 Solutions
 
tty2Commented:
123.45.67.89    255.255.255.0...
Must be
123.45.67.89    255.255.255.255
0
 
Todd GerbertIT ConsultantCommented:
I'm not familiar with the Cisco VPN client, but the Microsoft client has an option to use the default gateway on the remote network (which I turn off) - that way traffic destined for hosts on my work network goes out the VPN, but traffic for anything else goes out my normal home internet connection (I think this is called split-tunnelling in the Cisco client).
0
 
qbakiesCommented:
Split-tunneling must be enabled on the VPN device your are connecting to, otherwise all traffic is routed through the tunnel.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Istvan KalmarHead of IT Security Division Commented:
Hi,
Only Split tunneling allowing that you connect to internet when you connected via VPN!
0
 
surbabu140977Commented:
u cannot add a static route and get connected to that network via the vpn. Your vpn administrator must add this network for you and this should come to you directly once connected to vpn. So tell your admin to add this network into vpn encryption domain, disconnect and then connect again and check route print to verify if this route is coming to your desktop.

Remove the route that you have added.

Best,
0
 
surbabu140977Commented:
btw, also ask him (as suggested already by others) to enable split tunneling. You are not suppose to get 0.0.0.0 route via the vpn. It's very very bad config.

Best,
 
0
 
gr8gonzoConsultantAuthor Commented:
tty2 - Sorry, I hand-edited the IP address to mask the real one. I actually have 123.45.67.0 with a netmask of 255.255.255.0 as the persistent route.

Unfortunately, this isn't a small company where a VPN admin will make a change for just one person. The Cisco client has an option called "enable local LAN access" which I checked before trying this new route thing. It seems to allow me to browse my local network successfully, so I assumed that was the split tunneling. So I can access the local 192.168.1.x hosts while connected to the VPN, but the persistent route doesn't seem to work the same way.
0
 
surbabu140977Commented:
in vpn,  admin has to do the change, if you need access to something. User is stub, cannot do anything if admin doesn't provide. That's why vpn is secure, to prevent users doing anything.

If your admin doesn't do anything, forget it, u cannot do anything from client.

Best,
0
 
gr8gonzoConsultantAuthor Commented:
So the "Enable local LAN access" is not the same thing as split-tunneling?
0
 
qbakiesCommented:
0
 
gr8gonzoConsultantAuthor Commented:
Given that local LAN access works, do you think it could be possible to have some type of proxy server running on another PC on the LAN which forwards the traffic back and forth to these other non-VPN hosts? If so, any thoughts on a good (and hopefully free) proxy server for HTTP/HTTPS/POP3/SMTP ?
0
 
gr8gonzoConsultantAuthor Commented:
Question has been answered - yes, I can do that. I just tried a quick POP3 proxy. I downloaded SAWin32, which is meant to be a SpamAssassin POP3 proxy, but it comes with stunnel.exe, which basically acts as a proxy for a specific port. I set up a config file as attached, ran stunnel.exe on a separate PC on my local LAN, and then just switched my main PC to connect to it for mail. Worked great.

My stunnel.conf file:
taskbar = no
debug = 7
output = C:\path\to\logfile.txt
client = yes

[pop3s]
accept = 818
connect = my.mail.server:995
TIMEOUTclose = 0

Open in new window

0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now