Cisco VPN blocks all Internet traffic and split tunneling is not permitted

Question

[NOTE: I HAVE POSTED THIS QUESTION ALSO IN "SUPERUSER"]

At work, we have Windows 10 machines. We also have a customer VMWare Workstation VM (Ubuntu) running locally. The customer provides a connection from our host machines to a VPN Server. Connecting to the VPN Server lets us downloading required files, connect to Internet, etc. ALL of this inside the Ubuntu VM.

However, the VPN connection (Cisco AnyConnect) blocks any Internet access from the host machines (Windows 10): When we are connected to the VPN: Outlook is not working, Lync is not working, host Internet is not working, and so forth. Of course:

• Customer does not provide a split tunneling (and will not provide it). If we try to run (for instance) another VPN service, the customer VPN is disconnected...: all the work that you have been doing during hours inside the VM (downloading GBs of files, compiling code with the tools only accessible using the VPN, so forth) is lost.

• The Internet access via the VM is extremely limited: we cannot Google to review a bash command, or a Python or C one; you cannot access StackOverflow... Trying to find out a solution:

• I am thinking to install VirtualBox (to avoid conficts with the customer environment);

• Install a Windows 10 VM (yes... a W10 guest in a W10 host);

• Forward a USB port to this W10 guest machine;

• Connect to that USB port an external WiFi card.

With this configuration, I am assuming the customer VPN will not "realize" that one USB port has been stolen from the host machine. Thus, we would be able to have Internet traffic inside the W10 guest machine using the external WiFi card through the USB port.

Questions:

1. Is that configuration a possible one?

2. Will this configuration provide the solution we are looking for?

3. I do not realize how the host applications (Outlook, Lync, browsers) would be able to benefit from the guest access to Internet. Is there any way to use the W10 guest machine as a gateway or proxy for the host one (weird... right?) ?

4. Finally, I found somewhere some advice related to provide some kind of obfuscation to the Internet traffic of the USB stolen port. But, if it is really stolen and the customer VPN has no way (?) to know that the stolen port exists, I do not find this as a necessary step, unless this scenario can be assumed as a split tunneling and thus, the Internet traffic of W10 guest is vulnerable to external attacks, like is usually described in documents related to split tunneling.

Thanks in advance! Any help will very much appreciated!

Answer 1

It is not FULLY clear what you want to achieve and before you go down this path please make sure you understand your employer's security policy regarding VPN connection back to work (and the setup you are describing sounds oddly familiar, to the point you should look into INTERNAL resources like websites and mailing lists looking for solution to your problem).

Saying that I assume the problem you have is:

1. You work (either permanently or temporarily) on your employer's equipment either from home or customer's premises.
2. When doing the above you are connecting using Cisco Anyconnect, which, as you described, routes ALL internet traffic towards VPN gateways.
3. At this point you cannot connect your customer's VM to their VPN and you need both to perform your work.

The way to do it IMHO is to involve your manager and work with IT departments from both companies to provide a solution to this problem. This may (depending on security policies at both ends) mean providing custom security policies for your laptop, providing you TWO systems, one for connection to your employer and another for connection to your customer or having TWO VMs under one HOST - instead of the two physical systems, one connected to your employers VPN, the other - to your customer.

Answer 2

The Cisco AnyConnect client is a security client as much as a VPN client. It’s really designed for enforcing security policies on company owned equipment, like split-tunneling.

The fact that your customer is pushing an overly restrictive security policy on to equipment that is not owned by them and it is severely impacting your ability to work is really not acceptable. This should be handled by negotiating a different policy or connectivity to their network.

It is unlikely you will be able to plug in or use a secondary internet connection for internet access. As stated, the Cisco client is more than a VPN client. It intercepts your network traffic and DNS requests and forcefully blocks traffic.

Being the client enforces strict policies on the system, there is probably no supported method of accomplishing what you are asking.

Answer 3

You could create a Linux VM on that machine and a Linux DNS server somewhere else. Then you can tunnel your traffic over DNS. It's not perfect, but it would work.