No Internet access while being connected to VPN using Cisco VPN Client 5

Question

I have an access to corporate VPN using Cisco VPN Client 5.0.00:0340, but when I'm connected to it, I don't have an Internet access. I'm using Windows XP SP3. As it was suggested here

http://forums.speedguide.net/showthread.php?t=209167

, I tried to enable "Allow local LAN Access" but it doesn't work. I also tried a second solution - deleting entry using "route" command, but it didn't help. I used "route delete 192.168.100.222". It's a third day of my attempts to solve this issue and I don't have an idea what else to do. I'm not very experienced in VPN stuff, but I know something about networking. Basing on my knowledge, I think that it's theoretically possible to achieve Internet access using my local network and only corporate stuff to be routed using VPN connection.

I think that theoretically this should look like this:

every IP being inside by corporation -> VPN interface IP
every other IP -> my ethernet interface

I've tried many possibilities of how to change those routes, but neither of them work. I'd really appreciate any help.

My route configuration before connecting to VPN:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 a8 de 79 01 ...... Atheros AR5006EG Wireless Network Adapter - Teefer2 Miniport
0x10005 ...02 00 4c 4f 4f 50 ...... Microsoft Loopback Card
0x160003 ...00 17 42 31 0e 16 ...... Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller - Teefer2 Miniport
===========================================================================
===========================================================================
Active routes:
Network Destination        Netmask          Gateway        Interface Metrics
          0.0.0.0          0.0.0.0  192.168.101.254  192.168.100.222      10
         10.0.0.0    255.255.255.0        10.0.0.10       10.0.0.10       30
        10.0.0.10  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255        10.0.0.10       10.0.0.10       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.100.0    255.255.254.0  192.168.100.222  192.168.100.222      1
  192.168.100.222  255.255.255.255        127.0.0.1       127.0.0.1       1
  192.168.100.255  255.255.255.255  192.168.100.222  192.168.100.222      1
        224.0.0.0        240.0.0.0        10.0.0.10       10.0.0.10       3
        224.0.0.0        240.0.0.0  192.168.100.222  192.168.100.222      1
  255.255.255.255  255.255.255.255        10.0.0.10       10.0.0.10       1
  255.255.255.255  255.255.255.255  192.168.100.222  192.168.100.222      1
  255.255.255.255  255.255.255.255  192.168.100.222               2       1
Default gateway:  192.168.101.254.
===========================================================================

My route configuration after connection to VPN:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 a8 de 79 01 ...... Atheros AR5006EG Wireless Network Adapter - Teefer2 Miniport
0x10005 ...02 00 4c 4f 4f 50 ...... Microsoft Loopback Card
0x160003 ...00 17 42 31 0e 16 ...... Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller - Teefer2 Miniport
0x170006 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Teefer2 Miniport
===========================================================================
===========================================================================
Active routes:
Network Destination        Netmask          Gateway        Interface Metrics
          0.0.0.0          0.0.0.0       10.251.6.1     10.251.6.51       1
         10.0.0.0    255.255.255.0        10.0.0.10       10.0.0.10       30
         10.0.0.0    255.255.255.0       10.251.6.1     10.251.6.51       10
        10.0.0.10  255.255.255.255        127.0.0.1       127.0.0.1       30
      10.1.150.10  255.255.255.255  192.168.101.254  192.168.100.222      1
       10.251.6.0    255.255.255.0      10.251.6.51     10.251.6.51       20
      10.251.6.51  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255        10.0.0.10       10.0.0.10       30
   10.255.255.255  255.255.255.255      10.251.6.51     10.251.6.51       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.100.0    255.255.254.0  192.168.100.222  192.168.100.222      10
    192.168.100.0    255.255.254.0       10.251.6.1     10.251.6.51       10
  192.168.100.222  255.255.255.255        127.0.0.1       127.0.0.1       10
  192.168.100.255  255.255.255.255  192.168.100.222  192.168.100.222      10
  213.158.197.124  255.255.255.255  192.168.101.254  192.168.100.222      1
        224.0.0.0        240.0.0.0        10.0.0.10       10.0.0.10       30
        224.0.0.0        240.0.0.0      10.251.6.51     10.251.6.51       20
        224.0.0.0        240.0.0.0  192.168.100.222  192.168.100.222      10
  255.255.255.255  255.255.255.255        10.0.0.10       10.0.0.10       1
  255.255.255.255  255.255.255.255      10.251.6.51     10.251.6.51       1
  255.255.255.255  255.255.255.255  192.168.100.222  192.168.100.222      1
  255.255.255.255  255.255.255.255  192.168.100.222               2       1
Default gateway:   10.251.6.1.
===========================================================================

Update: @ggonsalv:

I did nearly the same thing as you've said. First I deleted "0.0.0.0" rule that was there during VPN connection. And then I've used your command, but with "if ethernet_card_id" at the end.

route add 0.0.0.0 mask 0.0.0.0 192.168.101.254 metric 1 if 0x3

That didn't work. What gives me a headache is how the hell the traffic is routed to the internal corporate network now. Routing is now set to route everything to my local network, not the VPN. When I type "google.com" in my browser, sniffer shows me that the DNS query goes to VPN DNS=10.22.20.1 which is defined as DNS address of VPN connection. I even changed DNS address in there to my local, now queries are with that address but I don't get any response. How is that even possible?! I'm not an expert at all and I just don't get it. Now my routing table looks like this (IP inside VPN changes between connections):

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 a8 de 79 01 ...... Atheros AR5006EG Wireless Network Adapter - Teefer2 Miniport
0x3 ...00 17 42 31 0e 16 ...... Marvell Yukon 88E8055 PCI-E Gigabit Ethernet Controller - Teefer2 Miniport
0x10005 ...02 00 4c 4f 4f 50 ...... Microsoft Loopback Card
0x20006 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Teefer2 Miniport
===========================================================================
===========================================================================
Active routes:
Network Destination        Netmask          Gateway        Interface Metrics
          0.0.0.0          0.0.0.0  192.168.101.254  192.168.100.222      1
         10.0.0.0    255.255.255.0        10.0.0.10       10.0.0.10       30
         10.0.0.0    255.255.255.0       10.251.6.1    10.251.6.144       20
        10.0.0.10  255.255.255.255        127.0.0.1       127.0.0.1       30
      10.1.150.10  255.255.255.255  192.168.101.254  192.168.100.222      1
       10.251.6.0    255.255.255.0     10.251.6.144    10.251.6.144       20
     10.251.6.144  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255        10.0.0.10       10.0.0.10       30
   10.255.255.255  255.255.255.255     10.251.6.144    10.251.6.144       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
    192.168.100.0    255.255.254.0  192.168.100.222  192.168.100.222      20
    192.168.100.0    255.255.254.0       10.251.6.1    10.251.6.144       20
  192.168.100.222  255.255.255.255        127.0.0.1       127.0.0.1       20
  192.168.100.255  255.255.255.255  192.168.100.222  192.168.100.222      20
  213.158.197.124  255.255.255.255  192.168.101.254  192.168.100.222      1
        224.0.0.0        240.0.0.0        10.0.0.10       10.0.0.10       30
        224.0.0.0        240.0.0.0     10.251.6.144    10.251.6.144       20
        224.0.0.0        240.0.0.0  192.168.100.222  192.168.100.222      20
  255.255.255.255  255.255.255.255        10.0.0.10       10.0.0.10       1
  255.255.255.255  255.255.255.255     10.251.6.144    10.251.6.144       1
  255.255.255.255  255.255.255.255  192.168.100.222  192.168.100.222      1
  255.255.255.255  255.255.255.255  192.168.100.222               2       1
Default gateway:  192.168.101.254.
===========================================================================

I even deleted this line and it didn't help:

192.168.100.0    255.255.254.0       10.251.6.1    10.251.6.144       20

Related: http://superuser.com/questions/284709/how-to-allow-local-lan-access-while-connected-to-cisco-vpn — Vadzim, Feb 18 '16 at 05:19

score 4 · Answer 1 · answered May 06 '10 at 14:49

4

Not sure on the Cisco setup, because we use Watchguard. However, when setting up a new VPN account I have a checkbox that says forward all traffic from user over VPN. If this is checked all network traffic from the user is forced through the VPN. This is set up on the gateway device, not on the users system. I don't know if it is the same with Cisco, but I would assume it is similar.

answered May 06 '10 at 14:49

Skaughty

733
1
5
12

1

There is a similar option in Cisco. I don't know exactly what it is called, but basically the network administrator can do this to prevent you from bridging a non-secure network into a secure network. – Catherine MacInnes May 06 '10 at 15:40
1

@Catherine: It's called split-tunneling – Zypher May 07 '10 at 05:01
+1 Split-tunneling! As soon as I read that the light bulbs went on. That is exactly the word I was looking for. – Skaughty May 07 '10 at 14:13

score 1 · Answer 2 · answered May 07 '10 at 05:01

The VPN server is pushing you a new default gateway instead of your usual one, so all of your outbound traffic is routed through the VPN tunnel; this is what is blocking you from Internet access while you're connected to the VPN.

Not sure where this can be changed in the Cisco VPN Client, or even if you actually can change it (it probably is managed centrally by the VPN server). If you were using the built-in Windows VPN client, you'd have to edit the advanced TCP/IP properties of the VPN connection and disable the "Use default gateway on the remote network" setting.

+1 for this solution. I was looking for that setting for quite a while. — RickCigarette, Aug 28 '13 at 22:59

score 1 · Answer 3 · edited May 02 '12 at 11:58

Open up properties on the LAN connection you're using then do the following:

Click Internet Protocol (TCP/IP) then click Properties.
In the Internet Protocol (TCP/IP) window click on Advanced...
Click the DNS tab and select "Append primary and connection
specific DNS suffixes"

After you've set that you should be able to access the internet again.

Cisco seems to change this when you connect then reverts it back once you've disconnected from the VPN.

score 0 · Answer 4 · answered May 07 '10 at 04:10

Unless your VPN connection allows internet you will not get the internet

The route rule 0.0.0.0 0.0.0.0 10.251.6.1 10.251.6.51 1 says when you goto any web site (ip address) it will routed via 10.251.6.1

you also use the route /add to add a new persistent route.

Give this is a try

route add 0.0.0.0 MASK 0.0.0.0 192.168.101.254 METRIC 1

It should add 192.168.101.254 as the top route.

score 0 · Answer 5 · edited Aug 31 '12 at 18:06

0

I had the same issue but I resolved it.

Check if you have the access-list ext under crypto isakmp client configuration group cisco.

edited Aug 31 '12 at 18:06

HopelessN00b

53,385
32
133
208

answered Oct 13 '10 at 08:15

score 0 · Answer 6 · answered Oct 13 '10 at 09:08

I used to have this problem then found a quick solution for resolving it.

Open up properties on the LAN connection you're using then do the following:

Click Internet Protocol (TCP/IP) then click Properties.
In the Internet Protocol (TCP/IP) window click on Advanced...
Click the DNS tab and select "Append primary and connection
specific DNS suffixes"

After you've set that you should be able to access the internet again.

Cisco seems to change this when you connect then reverts it back once you've disconnected from the VPN.

score 0 · Answer 7 · edited Apr 11 '13 at 18:47

I had the same issue. Using the following line solved my problem:

route add 0.0.0.0 MASK 0.0.0.0 192.168.0.1 METRIC 1

192.168.0.1 being the default gateway of my main server serving internet connections within our office.

However using the following did NOT work:

Open up properties on the LAN connection you're using then do the following:

Click Internet Protocol (TCP/IP) then click Properties.
In the Internet Protocol (TCP/IP) window click on Advanced...
Click the DNS tab and select "Append primary and connection specific DNS suffixes"

score 0 · Answer 8 · answered Jun 20 '14 at 00:00

This has been a vexing issue sense I got this Cicso Anyconnect VPN Client installed on my Windows 7 64 bit PC. The solutions I found on the internet were to restart the PC. That would restore the internet connectivity.

I found a better way to re-enable the internet after disconnecting from a remote server.

Steps to re-enable WAN access: Disconnect the Cisco AnyConnect VPN client (disconnect the client from the server). Open Control Panel Open System in Control Panel In System, find Device Manager Open Device Manager Find Network adapters in Device Manager Expand Network adapters Right click on the Ethernet Controller, select Disable and confirm disable Right click on the Ethernet Controller, Select Enable and close the windows.

Your internet access should be restored without a PC restart.

I hope this works for many people... Cheers!

This question is about older `Cisco VPN Client`. Here are other questions about `Cicso Anyconnect VPN Client`: http://superuser.com/questions/616192/split-tunnel-and-cisco-anyconnect, http://serverfault.com/questions/663947/lan-access-with-cisco-anyconnect-secure-mobility-client-v-3-0-4235. This answer should be moved there. — Vadzim, Feb 18 '16 at 05:18

score 0 · Answer 9 · edited Sep 17 '14 at 05:19

The easier way to resolve this issue, since I read that someone didn't have this issue on win xp, try to :

Completely uninstall your vpn client
make a clean from registry (Advanced user please) optional for beginner
Change the COMPATIBILY of your setup.exe file (vpn client) -->Check the "run as administrator" -->change the compatibility to Win xp sp3
Run your compatible setup.exe file (vpn client)
Once completed, run your vpn client, and navigate on Internet without any issue.

I have tested it on : - Win 7 32 and 64 bits - Make sure that your have the lastest java installed - IE, firefox, other browsers (VPN+Internet) - Wireless - Ethernet - Several laptops, within different network architectures

Note: this option resolves a lot of issues on other OS, before making any other troubleshooting checklist

score 0 · Answer 10 · answered Nov 21 '17 at 18:52

I am using WINDOWS 10 and had similar issue when connecting to my work Cisco AnyConnect Secure Mobile Client. Pretty much I would lose my wifi connectivity when I connected to AnyConnect VPN. To be more specific, the wifi connection would show up as "No Internet, Secured".

Doing the following fixed this issue:

1) Go to Control Panel > Network and Internet > Network and Sharing Center

2) On the left side panel, there should be an option called "Change Adapter Settings". Click on it

3) Single left click on "Wi-Fi" to select it and you should see option called "Change Settings of this connection" pop up on a tab located right above this "Wi-Fi" icon. Click it. If you don't see it. Click ">>" to expand and you should this option

4) This will bring up "Wi-Fi Properties" window. Click on "Sharing" tab

5) Check the box "Allow Connection Sharing" and under "Home networking connection", I chose "Ethernet". You can Choose "Wi-Fi" if you want.

The above setup should now allow you to connect to AnyConnect Cisco VPN while staying connected with your local wifi connection.

score 0 · Answer 11 · answered Aug 07 '18 at 04:48

0

Network and internet settings - > VPN -> Change adapter options It will list all the interfaces

Right click -> properties Uncheck ipv6

Do this for the VPN and other network interface.

Worked for me.

answered Aug 07 '18 at 04:48

rinjan

101

No Internet access while being connected to VPN using Cisco VPN Client 5

11 Answers11