Windows – How to send traffic to specific IP addresses through VPN and others directly to the internet

cisconetworkingroutingvpnwindows

I am running Windows 7 and using the Cisco VPN adapter to connect to a private network where I access resources starting with the IP address 172..

My problem is that when connected to the VPN all external traffic is routed through the VPN. I want to set things up so only certain IP addresses go through the VPN and everything else goes out over the local adapter and out to the internet as normal.

How?

Best Answer

In Vista:

Go into the Control Panel and click the “Network and Sharing Center” icon.

On the left panel of the resulting screen you should see a link, “Manage network connections.” Click it.

The next screen will have icons for all of your connections. There should be one for your VPN. Right-click it and select “Properties” from the menu.

In the “Properties” screen, click the “Networking” tab and then select “Internet Protocol Version 4? and click the “Properties” button.

Click the “Advanced” button. This will bring up a new window where you can un-check “Use default gateway on remote network.”

OK out to save everything.

Related Solutions

How to keep general internet traffic off Windows 2008 R2 VPN and only handle VPN traffic

Use the CMAK to create a connectoid that has the option to not use the remote connection as the default gateway. Deploy that connectoid to your users. If you can't deploy the connectoid, simply have your users edit the properties of the connection thusly: Properties >> Networking Tab >> TCP/IP v4 properties >> Advanced >> Disable "Use default gateway on remote network". Works like a charm.

Cisco ASA VPN – Route all internet traffic from remote site through main site’s ISP

Alter the ACLs controlling your tunnel policy to permit the traffic:

Site A:

access-list outside_cryptomap_A extended permit ip any object-group site_b_hosts
no access-list outside_cryptomap_A extended permit ip object-group site_a_hosts object-group site_b_hosts

Site B:

access-list outside_cryptomap_B extended permit ip object-group site_b_hosts any
no access-list outside_cryptomap_B extended permit ip object-group site_b_hosts object-group site_a_hosts

Traffic coming through this tunnel will be coming in the outside interface, getting decrypted, and going right back out the outside interface (I hope this works for your web filter!), so you'll need to account for that, too:

(config disclaimer: this is 8.2 config, adjust accordingly)

same-security-traffic permit intra-interface
nat (outside) 1 10.X.X.0 255.255.255.0

With this in place, all traffic will catch the encryption policy and the tunnel will build with local/remote networks of 0.0.0.0/0.

testasa# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 100, local addr: X.X.X.X

      access-list outside_cryptomap_A permit ip any object-group site_b_hosts
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.X.X.0/255.255.255.0/0/0)
      current_peer: test-endpoint-public

      #pkts encaps: 719, #pkts encrypt: 719, #pkts digest: 719
      #pkts decaps: 626, #pkts decrypt: 626, #pkts verify: 626

Best Answer

Related Solutions

How to keep general internet traffic off Windows 2008 R2 VPN and only handle VPN traffic

Cisco ASA VPN – Route all internet traffic from remote site through main site’s ISP

Related Topic