VPN - how to access internet and VPN resources at the same time?

Discussion in 'Cisco' started by Jim Willsher, May 8, 2006.

  1. Jim Willsher

    Jim Willsher Guest

    Hi,

    I've asked this here already, but I probably didn't phrase it very
    well.

    I've got a Cisco 837, which I have configured as a VPN server (pptp).
    The router is 192.168.1.1/24.

    My VPN address pool is 172.16.1.1 to 172.16.1.5.


    When I establish a VPN connection to my server using a bog-standard
    Windows PPTP connection, I have two scenarios:

    1) If I have the box "use default gateway on remote network" ticked
    then I can access my VPN resources (e.g. 192.168.1.150, 12.168.1.201),
    but I can't resolve any DNS.

    2) If I have the box "use default gateway on remote network" unticked
    then I can resolve DNS, but I can't access my VPN resources (e.g.
    192.168.1.150, 12.168.1.201) unless I do a "ROUTE ADD 192.168.1.1 MASK
    255.255.255.0 172.16.1.1".

    With my old DrayTek I used to be in scenario 2, e.g. have the box
    unticked, but I could quite happily surf the web AND access VPN
    resources, without requiring the ROUTE ADD command.

    Can anyone suggest what I need to configure on my VPN? Having googled
    for three days, the concept of LOOPBACK keeps occurring, as does Split
    DNS, but I'm sure it must be something very simple that's required.

    Or is there some way of adding some kind of alias on the router, such
    that instead of trying toa ccess my VPN resources via 192.168.1.x I
    access them via 172.16.x.x and the addresses get translated? I'm
    clutching at straws here in desperation!


    Many thanks,



    Jim

    PS Happy to make a PayPal donation to anyone who can help me achieve
    the solution!!!
     
    Jim Willsher, May 8, 2006
    #1
    1. Advertising

  2. Jim Willsher

    Jim Willsher Guest

    On Mon, 08 May 2006 09:47:32 +0100, Jim Willsher <>
    wrote:

    >Hi,
    >
    >I've asked this here already, but I probably didn't phrase it very
    >well.
    >
    >I've got a Cisco 837, which I have configured as a VPN server (pptp).
    >The router is 192.168.1.1/24.
    >
    >My VPN address pool is 172.16.1.1 to 172.16.1.5.
    >
    >
    >When I establish a VPN connection to my server using a bog-standard
    >Windows PPTP connection, I have two scenarios:
    >
    >1) If I have the box "use default gateway on remote network" ticked
    >then I can access my VPN resources (e.g. 192.168.1.150, 12.168.1.201),
    >but I can't resolve any DNS.
    >
    >2) If I have the box "use default gateway on remote network" unticked
    >then I can resolve DNS, but I can't access my VPN resources (e.g.
    >192.168.1.150, 12.168.1.201) unless I do a "ROUTE ADD 192.168.1.1 MASK
    >255.255.255.0 172.16.1.1".
    >
    >With my old DrayTek I used to be in scenario 2, e.g. have the box
    >unticked, but I could quite happily surf the web AND access VPN
    >resources, without requiring the ROUTE ADD command.
    >
    >Can anyone suggest what I need to configure on my VPN? Having googled
    >for three days, the concept of LOOPBACK keeps occurring, as does Split
    >DNS, but I'm sure it must be something very simple that's required.
    >
    >Or is there some way of adding some kind of alias on the router, such
    >that instead of trying toa ccess my VPN resources via 192.168.1.x I
    >access them via 172.16.x.x and the addresses get translated? I'm
    >clutching at straws here in desperation!
    >
    >
    >Many thanks,
    >
    >
    >
    >Jim
    >
    >PS Happy to make a PayPal donation to anyone who can help me achieve
    >the solution!!!



    I forgot to say - it's the identical problem as described here:

    http://groups.google.com/group/micr...et simultaneous&rnum=1&hl=en#e7b44af5f06cf326

    but surely there's a simple solution? I get varying addresses
    (dynamic) so ROUTE ADD is not really ideal.


    Jim
     
    Jim Willsher, May 8, 2006
    #2
    1. Advertising

  3. Jim Willsher

    Jim Willsher Guest

    On Mon, 08 May 2006 09:47:32 +0100, Jim Willsher <>
    wrote:

    >Hi,
    >
    >I've asked this here already, but I probably didn't phrase it very
    >well.
    >
    >I've got a Cisco 837, which I have configured as a VPN server (pptp).
    >The router is 192.168.1.1/24.


    <snip>

    Okay, I'm reposnding to my own question - but then again I talk to
    myself too !


    I've just connected to a client's VPN on address x.x.x.240. I was
    assigned a local IP of x.x.x.160.If I look at my routing table (ROUTE
    PRINT) I see that the VPN Server has automatically added a static
    route for me:

    x.x.x.0 mask 255.255.255.0 x.x.x.160

    This is exactly what I want to achieve! So, can anyone help me add the
    appropriate lines to my config so that a static route of

    192.168.1.0 mask 255.255.255.0 <assigned VPN IP address>

    Thank you everyone,



    Jim
     
    Jim Willsher, May 8, 2006
    #3
  4. Jim Willsher

    Jim Willsher Guest

    On Mon, 08 May 2006 09:47:32 +0100, Jim Willsher <>
    wrote:

    >Hi,
    >
    >I've asked this here already, but I probably didn't phrase it very
    >well.
    >
    >I've got a Cisco 837, which I have configured as a VPN server (pptp).
    >The router is 192.168.1.1/24.
    >
    >My VPN address pool is 172.16.1.1 to 172.16.1.5.
    >
    >
    >When I establish a VPN connection to my server using a bog-standard
    >Windows PPTP connection, I have two scenarios:
    >
    >1) If I have the box "use default gateway on remote network" ticked
    >then I can access my VPN resources (e.g. 192.168.1.150, 12.168.1.201),
    >but I can't resolve any DNS.
    >
    >2) If I have the box "use default gateway on remote network" unticked
    >then I can resolve DNS, but I can't access my VPN resources (e.g.
    >192.168.1.150, 12.168.1.201) unless I do a "ROUTE ADD 192.168.1.1 MASK
    >255.255.255.0 172.16.1.1".
    >
    >With my old DrayTek I used to be in scenario 2, e.g. have the box
    >unticked, but I could quite happily surf the web AND access VPN
    >resources, without requiring the ROUTE ADD command.
    >
    >Can anyone suggest what I need to configure on my VPN? Having googled
    >for three days, the concept of LOOPBACK keeps occurring, as does Split
    >DNS, but I'm sure it must be something very simple that's required.
    >
    >Or is there some way of adding some kind of alias on the router, such
    >that instead of trying toa ccess my VPN resources via 192.168.1.x I
    >access them via 172.16.x.x and the addresses get translated? I'm
    >clutching at straws here in desperation!
    >
    >
    >Many thanks,
    >
    >
    >
    >Jim
    >
    >PS Happy to make a PayPal donation to anyone who can help me achieve
    >the solution!!!



    Okay, nobody in this NG seemed able (or willing!) to help.

    The solution is this: Make your VPN address ranges on the same subnet
    as the router.

    My router is 192.168.1.1, and my subnet is 255.255.255.0. I have now
    set my VPN address pool to be 192.168.1.251 to 192.168.1.254. When I
    establish a VPN session now, I get the correct routing table
    (192.168.1.0/24).

    For the benefit of anyone else trying to achieve the same.


    Jim
     
    Jim Willsher, May 9, 2006
    #4
  5. Jim Willsher

    laurin

    Joined:
    Oct 4, 2006
    Messages:
    1
    Could use a hand

    Hey Jim I am having a similar problem. When I connect to my vpn I lose all my net connectivity....

    When I did a trace route on yahoo.com I kept getting my vpn server's local IP address returned.

    it would be great if you could help me out, as yours is the only thing I could find on google similar to my problem...


    Laurin
     
    laurin, Oct 4, 2006
    #5
  6. Jim Willsher

    SteveB

    Joined:
    Oct 3, 2006
    Messages:
    17
    Don't you have to enable split tunneling to be able to access resources outside of the scope of the vpn tunnel?
     
    SteveB, Oct 10, 2006
    #6
  7. Jim Willsher

    Zenith

    Joined:
    Oct 11, 2006
    Messages:
    3
    I'm only learning this stuff myself, but as SteveB said I think split-tunneling is really what you're looking for here. I think having the VPN clients in the same subnet as your LAN is probably going to cause you problems at some point...
     
    Zenith, Oct 11, 2006
    #7
  8. Jim Willsher

    SteveB

    Joined:
    Oct 3, 2006
    Messages:
    17
    If you address your VPN clients from the same network id the internal clients use, it will cause problems, especially if you are using the Cisco VPN client software. I just did a split tunnel this morning and it works great. The internal networks on the WAN are 192.168.3.0, 4.0, and 5.0. The firewall is a Cisco ASA 5510. The VPN clients get an address from the pool of 172.16.50.1 - 172.16.50.20. I put in a split tunnel acl that says if you are going to 192.168.x.x, go over the tunnel, otherwise use the "regular" internet connection on the remote VPN client.

    There is a router on the internal corporate WAN, so I had to add a route to that that says, to get to 172.16.0.0, go to the inside interface on the firewall.

    It works great.

    Other configuration issues aside, if you want to have a VPN connection and your regular Internet connection active at the same time, you HAVE to split-tunnel and specify which network destinations need to go over the tunnel. All other traffic will go unencrypted over the Internet to wherever you want, web sites, e-mail server, etc.
     
    Last edited: Oct 11, 2006
    SteveB, Oct 11, 2006
    #8
  9. Jim Willsher

    will_pothible

    Joined:
    Nov 14, 2006
    Messages:
    1
    Hmm.

    Well i connect to my college through a vpn connection at home and i had the same problem, that when i was making the vpn connection, it kind of was prioritised over my own internet connection, as if it took it all up. I asked my computing teacher, as i study computing, and i was told that when you make a vpn connection, because your computer becomes a network on that particular network you cannot then use your own internet connection. however, if the network your connecting to does have an internet connection with no proxy settings then you should connect to their internet connection automatically, but if they have proxy server settings, just put them into your internet explorer settings and whenever you connect via vpn then you'll actually get their internet connection through your internet connection. Kind of thing. Get me? :top:
     
    will_pothible, Nov 14, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q0FSTUVO?=

    HELP! SAME OLD: FILE SHARING/ACCESS RESOURCES

    =?Utf-8?B?Q0FSTUVO?=, Jan 30, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    598
    =?Utf-8?B?QWxpc29u?=
    Feb 1, 2005
  2. hk
    Replies:
    0
    Views:
    1,961
  3. Marc Schwartz
    Replies:
    0
    Views:
    505
    Marc Schwartz
    Jun 18, 2005
  4. longshotjohn7

    Re: Same error message time and time again.

    longshotjohn7, Sep 3, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    521
    Boomer :)
    Sep 3, 2003
  5. pasatealinux
    Replies:
    1
    Views:
    2,067
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page