Two NICs and VPN appliance

[dudu]

I have the folliowing setup at home: Cable_modem -> Asus RT-N66U -> PC.
I was just given last week at work Cisco ASA 5505 VPN appliance to connect to my work network from home... So Cisco router is setup to work as VPN client. If I put it between Asus router and my PC everything is fine. I can access work network, browse internet etc.

The question is if it's possible to setup an additional NIC on my PC so that only work-related traffic (i.e. VPN) goes through NIC #1 (and Cisco appliance), while NIC #2 would directly connect to Asus router and be used to access LAN as well as the internet.

I'm using windows 7... asked my IT guys at work and they said this is not possible, but I wasn't totally convinced. T

Thanks

 

[Thatguy]

It's certainly possible but you'd have to add static routes to push the traffic through the VPN for whatever IP's you need to hit. It's manual work but at that point your going to have 2 gateways so static routes are really the only way to go.

 

[bendsley]

I have the folliowing setup at home: Cable_modem -> Asus RT-N66U -> PC.
I was just given last week at work Cisco ASA 5505 VPN appliance to connect to my work network from home... So Cisco router is setup to work as VPN client. If I put it between Asus router and my PC everything is fine. I can access work network, browse internet etc.

The question is if it's possible to setup an additional NIC on my PC so that only work-related traffic (i.e. VPN) goes through NIC #1 (and Cisco appliance), while NIC #2 would directly connect to Asus router and be used to access LAN as well as the internet.

I'm using windows 7... asked my IT guys at work and they said this is not possible, but I wasn't totally convinced. T

Thanks

It's called Split Tunneling and it's totally possible. Basically on the tunnel, all work related traffic goes through the VPN and all non-work related traffic goes direct to the internet.

Keep in mind, everything coming through the VPN can be seen on their side and all of your browsing, etc. can be captured and recorded. If they're running a proxy of some sort on their side that VPN traffic comes through, any HTTPS/SSL traffic is also exposed. What I'm saying here is that if you login to your bank account from home, they can view everything going on between your machine and your bank's website.

Your company may not allow split tunneling, but yes, it is possible. I personally would not install hardware at my house where someone else can see everything I'm doing. This is the reason that Cisco makes the Cisco VPN and the AnyConnect clients for people's computers; so you don't have to route everything over a hardware VPN tunnel. This sounds rather ridiculous to me.

 

[dudu]

I think part of the reason why i have to use the hardware VPN client appliance is because my phone is also connected to it. But I see your point on them being able to capture all of my traffic remotely and i'd definitely want to avoid that.

So I just installed 2nd NIC in my system. NIC #1 is now connected directly to the ASUS router and 192.168.1.xx LAN. NIC #2 is connected to Cisco VPN appliance (and then ASUS router), so that's on 10.149.xxx remote VPN.

Here's ipconfig command output:
--------------------
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . : abc.com
IPv4 Address. . . . . . . . . . . : 10.149.1.65
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.149.1.78
------------------------------------------

What specifc static routes I should add to make this work? I'm using Windows 7.

Thanks!

 

[bendsley]

I think part of the reason why i have to use the hardware VPN client appliance is because my phone is also connected to it. But I see your point on them being able to capture all of my traffic remotely and i'd definitely want to avoid that.

So I just installed 2nd NIC in my system. NIC #1 is now connected directly to the ASUS router and 192.168.1.xx LAN. NIC #2 is connected to Cisco VPN appliance (and then ASUS router), so that's on 10.149.xxx remote VPN.

Here's ipconfig command output:
--------------------
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . : abc.com
IPv4 Address. . . . . . . . . . . : 10.149.1.65
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.149.1.78
------------------------------------------

What specifc static routes I should add to make this work? I'm using Windows 7.

Thanks!

You need to find out what IP addresses / subnets you specifically need to route to at your work. If you're trying to connect to something like 172.30.30.0 and it goes through the VPN, you need to add that to the route with your VPN as the gateway.

This way, anything to that subnet will go through the VPN while other traffic goes through your ISP.

On Windows 7, the command is:

route ADD 10.0.0.0 MASK 255.255.255.0 10.0.0.1 IF 2

The 10.0.0.0 is the destination IP, the 255.255.255.0 is the SUBNET MASK, and the 10.0.0.1 is the GATEWAY IP. The IF 2 at the end isn't required, but since you're using two interfaces, this tells the route which specific interface to use.