VPN: LAN access
Hi,
I use to connect to my customer VPN with Cisco Anyconnect VPN Client (v. 2.4.1012). While connected I can't use internet, outlook, ...
The VPN administrator told me that the VPN is configured in this way and the rule cannot be modified for policy reason.
I'm sure that there is a workaround for this using some kind of routing but I'm not familiar with network management.
Can you please help me?
Software/Hardware used:
Windows 7 Cisco Anyconnect VPN Client
Software/Hardware used:
Windows 7 Cisco Anyconnect VPN Client
ASKED:
October 30, 2012 9:10 AM
UPDATED:
October 30, 2012 2:11 PM
Answer Wiki:
You could try the route add command at the following link:
Route-add
Likely there is not a workaround, and rightfully so, it is a security feature.
Similar Juniper VPN clients will actually disconnect the VPN if an attempt is made to override by adding a route via the command prompt.
The reason this is done is to mitigate the risk of access to the corporate network via the remote user's Internet connection.
Now on the flip side, it could be argued that you customer's system admin has possibly not configured the VPN properly, as it is possible to route your traffic to the Internet via the corporate ISP and still maintain positive control of the traffic flow.
All Answer Wiki Contributors:
TomLiotta 
108,055 pts. ,
Hoover87 280 pts. ,
Michael Tidmarsh 11,400 pts. ,
webluca 60 pts.
108,055 pts. ,
Hoover87 280 pts. ,
Michael Tidmarsh 11,400 pts. ,
webluca 60 pts. To see all answers submitted to the Answer Wiki: View Answer History.
The VPN administrator told me that the VPN is configured in this way and the rule cannot be modified for policy reason.
If it is policy and set by an administrator, we can’t help to circumvent it. A policy setting would probably have a valid business reason (especially if it’s a known setting). However, if a vulnerability is found that leaves a hole open, we’ll gladly help the administrator close it.
Tom
You want a work-around? The only one we’ll provide, as this is an ethical website, is to have a second (perhaps older) PC running that is logged into the Internet. You can browze and email from there to your heart’s content without having to hack your customer’s network and policies.
And if I was your customer and you knowingly circumvented my network, the best you could hope for is the loss of my business. Think lawsuits!
Of course I don’t want to hack anything and I don’t want to make somthing not ethical… I was thinking if it is passible to split my network and connect to VPN in one portion and continue working on internet in the other one, or something similar. I made something similar using windows virtual pc, but I don’t need an entire virtual machine, it’s enought to have a virtual adapter…
…I don’t want to hack anything and I don’t want to make somthing not ethical…
We don’t think you intend anything like that, but it should be clear that it could be interpreted as unethical by your customer. Your obligation is to avoid even the appearance of unethical behavior.
I was thinking if it is passible to split my network and connect to VPN in one portion and continue working on internet in the other one,…
Splitting your network is not the same as having your single system actively holding two different connections. That is specifically what the customer’s policy forbids for whatever reason. You’re stuck with respecting that requirement regardless of the inconvenience, or it’ll become “unethical”.
Respecting customer policies is part of ethics. Circumventing this policy probably isn’t illegal and perhaps isn’t even morally wrong. But because it goes against customer expectations, it is “unethical”, i.e., outside of ethical.
A second system, perhaps a virtual one, seems to be a reasonableresolution.
Tom