VPN - how to access internet and VPN resources at the same time?

Discussion in 'Cisco' started by Jim Willsher, May 8, 2006.

  1. Jim Willsher

    Jim Willsher Guest


    I've asked this here already, but I probably didn't phrase it very

    I've got a Cisco 837, which I have configured as a VPN server (pptp).
    The router is

    My VPN address pool is to

    When I establish a VPN connection to my server using a bog-standard
    Windows PPTP connection, I have two scenarios:

    1) If I have the box "use default gateway on remote network" ticked
    then I can access my VPN resources (e.g.,,
    but I can't resolve any DNS.

    2) If I have the box "use default gateway on remote network" unticked
    then I can resolve DNS, but I can't access my VPN resources (e.g., unless I do a "ROUTE ADD MASK".

    With my old DrayTek I used to be in scenario 2, e.g. have the box
    unticked, but I could quite happily surf the web AND access VPN
    resources, without requiring the ROUTE ADD command.

    Can anyone suggest what I need to configure on my VPN? Having googled
    for three days, the concept of LOOPBACK keeps occurring, as does Split
    DNS, but I'm sure it must be something very simple that's required.

    Or is there some way of adding some kind of alias on the router, such
    that instead of trying toa ccess my VPN resources via 192.168.1.x I
    access them via 172.16.x.x and the addresses get translated? I'm
    clutching at straws here in desperation!

    Many thanks,


    PS Happy to make a PayPal donation to anyone who can help me achieve
    the solution!!!
    Jim Willsher, May 8, 2006
    1. Advertisements

  2. Jim Willsher

    Jim Willsher Guest

    I forgot to say - it's the identical problem as described here:


    but surely there's a simple solution? I get varying addresses
    (dynamic) so ROUTE ADD is not really ideal.

    Jim Willsher, May 8, 2006
    1. Advertisements

  3. Jim Willsher

    Jim Willsher Guest


    Okay, I'm reposnding to my own question - but then again I talk to
    myself too !

    I've just connected to a client's VPN on address x.x.x.240. I was
    assigned a local IP of x.x.x.160.If I look at my routing table (ROUTE
    PRINT) I see that the VPN Server has automatically added a static
    route for me:

    x.x.x.0 mask x.x.x.160

    This is exactly what I want to achieve! So, can anyone help me add the
    appropriate lines to my config so that a static route of mask <assigned VPN IP address>

    Thank you everyone,

    Jim Willsher, May 8, 2006
  4. Jim Willsher

    Jim Willsher Guest

    Okay, nobody in this NG seemed able (or willing!) to help.

    The solution is this: Make your VPN address ranges on the same subnet
    as the router.

    My router is, and my subnet is I have now
    set my VPN address pool to be to When I
    establish a VPN session now, I get the correct routing table

    For the benefit of anyone else trying to achieve the same.

    Jim Willsher, May 9, 2006
  5. Jim Willsher


    Oct 4, 2006
    Likes Received:
    Could use a hand

    Hey Jim I am having a similar problem. When I connect to my vpn I lose all my net connectivity....

    When I did a trace route on yahoo.com I kept getting my vpn server's local IP address returned.

    it would be great if you could help me out, as yours is the only thing I could find on google similar to my problem...

    laurin, Oct 4, 2006
  6. Jim Willsher


    Oct 3, 2006
    Likes Received:
    Don't you have to enable split tunneling to be able to access resources outside of the scope of the vpn tunnel?
    SteveB, Oct 10, 2006
  7. Jim Willsher


    Oct 11, 2006
    Likes Received:
    I'm only learning this stuff myself, but as SteveB said I think split-tunneling is really what you're looking for here. I think having the VPN clients in the same subnet as your LAN is probably going to cause you problems at some point...
    Zenith, Oct 11, 2006
  8. Jim Willsher


    Oct 3, 2006
    Likes Received:
    If you address your VPN clients from the same network id the internal clients use, it will cause problems, especially if you are using the Cisco VPN client software. I just did a split tunnel this morning and it works great. The internal networks on the WAN are, 4.0, and 5.0. The firewall is a Cisco ASA 5510. The VPN clients get an address from the pool of - I put in a split tunnel acl that says if you are going to 192.168.x.x, go over the tunnel, otherwise use the "regular" internet connection on the remote VPN client.

    There is a router on the internal corporate WAN, so I had to add a route to that that says, to get to, go to the inside interface on the firewall.

    It works great.

    Other configuration issues aside, if you want to have a VPN connection and your regular Internet connection active at the same time, you HAVE to split-tunnel and specify which network destinations need to go over the tunnel. All other traffic will go unencrypted over the Internet to wherever you want, web sites, e-mail server, etc.
    Last edited: Oct 11, 2006
    SteveB, Oct 11, 2006
  9. Jim Willsher


    Nov 14, 2006
    Likes Received:

    Well i connect to my college through a vpn connection at home and i had the same problem, that when i was making the vpn connection, it kind of was prioritised over my own internet connection, as if it took it all up. I asked my computing teacher, as i study computing, and i was told that when you make a vpn connection, because your computer becomes a network on that particular network you cannot then use your own internet connection. however, if the network your connecting to does have an internet connection with no proxy settings then you should connect to their internet connection automatically, but if they have proxy server settings, just put them into your internet explorer settings and whenever you connect via vpn then you'll actually get their internet connection through your internet connection. Kind of thing. Get me? :top:
    will_pothible, Nov 14, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.