Cisco vpn client and home network (easy one?)

dmw

Let me preface that I am not here for the test but I have a quick question that someone with a little cisco knowledge can answer easily. Have an issue with a cisco vpn client. When I connect to the 3005 concentrator from a remote machine using the vpn client I lose all home lan connectivity. My home lan and corp lan are both using 192.168. Is there a way around this?

Any help appreciated

sexion8

dmw wrote:

Let me preface that I am not here for the test but I have a quick question that someone with a little cisco knowledge can answer easily. Have an issue with a cisco vpn client. When I connect to the 3005 concentrator from a remote machine using the vpn client I lose all home lan connectivity. My home lan and corp lan are both using 192.168. Is there a way around this?

Any help appreciated

This isn't a Cisco issue at all rather a no brainer. Change your home network to something like 10.10.10.x or anything with a 10.x.x.x address. What is likely happening is the corp and home network as using the same IP range so when you connect to your corp, everything is routed through there. When you disconnect, your machine likely thinks that gateway is still up since it sees A GATEWAY up. So it is likely trying to send data through it securely and failing miserably.

I had this same issue with the following setup:

CorpLan -> VLAN Switch -> ISA Server (NAT) -> Checkpoint -> VPN Tunnel -> Client -> Pix -> VLAN

It was a miserable setup but not my choice. CorpLan and VLAN on the client side was using the same address blocks and when people in my company connected to our client, the minute they disconnected, they had to ipconfig /renew to fix it. Changing our internal addressing (since the client wouldn't) for a few machines alleviated this

dmw

Yes, I figured that was the issue. Is there any other way around it that you know. The router handing out IP's does not allow changing the ip range.

mikej412

If the policies are being pushed from the concentrator, you may be out of luck..... but check the Transport Tab for your connection entry and see if "Allow Local LAN Access" is checked.

sexion8

dmw wrote:

Yes, I figured that was the issue. Is there any other way around it that you know. The router handing out IP's does not allow changing the ip range.

Huh? What about your home lan... What's cooking Mike

dmw

No I thought my home lan was set to use a fixed ip range but in fact I can change it so I will try that.

sprkymrk

dmw wrote:

Let me preface that I am not here for the test but I have a quick question that someone with a little cisco knowledge can answer easily. Have an issue with a cisco vpn client. When I connect to the 3005 concentrator from a remote machine using the vpn client I lose all home lan connectivity. My home lan and corp lan are both using 192.168. Is there a way around this?

Any help appreciated

Are you saying that when you connect the VPN Tunnel, you lose access to your local (home) resourses, but if you disconnect the VPN Tunnel you can then access your local resourses again?

If that is the case then it is probably by design for security reasons. It's called a global tunnel and causes a default route of 0.0.0.0 to go through the tunnel. It's as if your computer is magically transported to your corporate network, and if you are on your corporate network you probably can't access your home network.

This is to eliminate security issues with "split-arm" tunnels where you are connected to 2 networks at the same time, your corporate network and an untrusted network such as a hotel, Starbuck's, or home.

If the VPN policy is enforced by the Administrators at the Cisco concentrator then changing your IP at home won't help.

dmw

That is what happens. So the concentrator would need to be setup to allow.

Thanks