VPN to External (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN


create_share -> VPN to External (9.Jun.2009 7:39:15 AM)


My internal users cannot use internet if they are connected through isa 2006 to a remote cisco vpn router. I disabled the default gateway on the vpn client connection and used isa as webproxy but still not working.


pwindell -> RE: VPN to External (9.Jun.2009 11:49:50 AM)

That has nothing to do with ISA.
That is within the behavor of the Cisco VPN Client.  By the nature of VPN,...once activated,...becomes the Default Gateway of the machine and over-rides the original Default Gateway.  So any traffic not destined for the local LAN is automatically passed through the VPN Client whether it is the right place to go or not.

Web Proxy Clients can typically use the ISA in spite of this because the redirection to the proxy happens at the Application Layer and so avoids the problem.  SecureNAT Clients are in big trouble.   Firewall Clients also use the Application Layer and would get around this, but unfortuneately the FWC is usually disabled to allow the Cisco VPN Client to function so you are back to being a SecureNAT Client.

The place to correct this (if it is possible to correct) is in the Cisco VPN Client itself. I believe the term you might be looking for is Split Tunneling,...you need to "split-tunnel" the traffic to get it to work right. I do not know if Cisco uses that terminology or not.

create_share -> RE: VPN to External (9.Jun.2009 3:16:33 PM)

My users are using Windows VPN Connection to connect to Cisco 837 ADSL router and not Cisco VPN Client (if any i don't know).

Secondly, I have tested this without isa by connecting a pc directly to internet and to cisco router through windows vpn connection at the same time. I just disabled the default gateway on windows vpn connection and internet worked.

May be there is some configuration problem.


pwindell -> RE: VPN to External (9.Jun.2009 3:26:37 PM)

In a "Windows" VPN Connection you have to disable the checkbox that says "use gateway on remote network".   Where that is actually located in the DUN entry varies with your version of Windows running on the Client.  The newer the verios of Windows,...the deeper they try to bury the setting seemingly behind dozens of mouse clicks.

If the VPN Client is not using DHCP,...then you can remove the Default Gateway Setting to produce a similar effect,...as you noticed.

create_share -> RE: VPN to External (9.Jun.2009 3:47:59 PM)

It was only a matter of allowing "All Users" in Internet Access Rule Users Box and the internet started working. I don't know why it does not work if i add speficic users.


pwindell -> RE: VPN to External (9.Jun.2009 3:55:21 PM)

Then you have a problem with ISA's Domain Membership,..or ISA's DNS Settings,...or both at the same time.

Page: [1]