gr8gonzo
asked on
Custom route not working
I am connected to a VPN (Cisco AnyConnect VPN Client) which gives me access to some hosts that I need, but also blocks others that I also need access to (e.g. my mail server). So basically I have two gateways:
192.168.6.1 - VPN gateway
192.168.1.1 - normal home connection gateway
I have a specific host that I need normal (non-VPN) access to, which resolves to 123.45.67.89.
I tried adding a persistent route to that host, but it doesn't seem to be taking effect - that host is still blocked when connected to the VPN, which means the VPN connection is still being used to contact that host.
I attached my shortened ROUTE PRINT as a code snippet. I don't have an IPv6 persistent route set up, but I don't think that should be being used for this connection.
192.168.6.1 - VPN gateway
192.168.1.1 - normal home connection gateway
I have a specific host that I need normal (non-VPN) access to, which resolves to 123.45.67.89.
I tried adding a persistent route to that host, but it doesn't seem to be taking effect - that host is still blocked when connected to the VPN, which means the VPN connection is still being used to contact that host.
I attached my shortened ROUTE PRINT as a code snippet. I don't have an IPv6 persistent route set up, but I don't think that should be being used for this connection.
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.116 20
0.0.0.0 0.0.0.0 192.168.6.1 192.168.6.226 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
.... etc ....
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
123.45.67.89 255.255.255.0 192.168.1.1 1
0.0.0.0 0.0.0.0 192.168.6.1 5
===========================================================================
I'm not familiar with the Cisco VPN client, but the Microsoft client has an option to use the default gateway on the remote network (which I turn off) - that way traffic destined for hosts on my work network goes out the VPN, but traffic for anything else goes out my normal home internet connection (I think this is called split-tunnelling in the Cisco client).
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Only Split tunneling allowing that you connect to internet when you connected via VPN!
Only Split tunneling allowing that you connect to internet when you connected via VPN!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
btw, also ask him (as suggested already by others) to enable split tunneling. You are not suppose to get 0.0.0.0 route via the vpn. It's very very bad config.
Best,
Best,
ASKER
tty2 - Sorry, I hand-edited the IP address to mask the real one. I actually have 123.45.67.0 with a netmask of 255.255.255.0 as the persistent route.
Unfortunately, this isn't a small company where a VPN admin will make a change for just one person. The Cisco client has an option called "enable local LAN access" which I checked before trying this new route thing. It seems to allow me to browse my local network successfully, so I assumed that was the split tunneling. So I can access the local 192.168.1.x hosts while connected to the VPN, but the persistent route doesn't seem to work the same way.
Unfortunately, this isn't a small company where a VPN admin will make a change for just one person. The Cisco client has an option called "enable local LAN access" which I checked before trying this new route thing. It seems to allow me to browse my local network successfully, so I assumed that was the split tunneling. So I can access the local 192.168.1.x hosts while connected to the VPN, but the persistent route doesn't seem to work the same way.
in vpn, admin has to do the change, if you need access to something. User is stub, cannot do anything if admin doesn't provide. That's why vpn is secure, to prevent users doing anything.
If your admin doesn't do anything, forget it, u cannot do anything from client.
Best,
If your admin doesn't do anything, forget it, u cannot do anything from client.
Best,
ASKER
So the "Enable local LAN access" is not the same thing as split-tunneling?
Technically no. This doc explains: http://www.cisco.kg/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml
ASKER
Given that local LAN access works, do you think it could be possible to have some type of proxy server running on another PC on the LAN which forwards the traffic back and forth to these other non-VPN hosts? If so, any thoughts on a good (and hopefully free) proxy server for HTTP/HTTPS/POP3/SMTP ?
ASKER
Question has been answered - yes, I can do that. I just tried a quick POP3 proxy. I downloaded SAWin32, which is meant to be a SpamAssassin POP3 proxy, but it comes with stunnel.exe, which basically acts as a proxy for a specific port. I set up a config file as attached, ran stunnel.exe on a separate PC on my local LAN, and then just switched my main PC to connect to it for mail. Worked great.
My stunnel.conf file:
My stunnel.conf file:
taskbar = no
debug = 7
output = C:\path\to\logfile.txt
client = yes
[pop3s]
accept = 818
connect = my.mail.server:995
TIMEOUTclose = 0
Must be
123.45.67.89 255.255.255.255