Find the private channel for VPN Intranet login to the Internet

Find the private channel for the VPN Intranet to log on to the Internet. The author is located in a branch. There are two network lines, one is frame relay to the headquarters of the company, and the other is the normal ADSL bandwidth, only 512 K. The entire branch uses the K broadband Internet shared by each user, the available bandwidth becomes very small, and the network application experience is not smooth. I have heard that the Internet egress bandwidth of this department is as high as 50 M, but their agents do not provide Internet permissions to the branches. In addition, I have heard that the proxy server of this department has deployed internet behavior control, the Internet experience of colleagues in this department is actually not good. Later, I did not intend to get the VPN account of the Department. The address is 218. *. *. *, try to set and log on to the instance. According to the default settings, the instance can be connected to the Intranet, but the Internet is disconnected at the same time. Of course, if you do not select "use the default gateway on the remote network", you can avoid access from the Internet, but this is not what I want. I think, can I start with this VPN and find a way to connect the Intranet to the Internet? In this way, we can make good use of the 2 m line. I first log on to the VPN of the home from the ADSL line, Type ipconfig/all to view, and find that the allocated Intranet IP address belongs to the network segment 10.152.40. I guess the VPN may be in this CIDR block. You can use a scanning software to check which active hosts are in the CIDR block. There are only three active hosts. This is not a common sense. You may have made some settings so that the host does not respond to the ping operation. I think that if the machine name and port of the VPN are scanned from the Internet, and the network segment 10.152.40 is scanned again, if yes, it must be the Intranet IP address of the VPN. But what should I do if the common scanning software on this host does not match him? I think of the Nmap article that I previously published in this publication. Nmap is the most powerful scanning software. Log on to the Linux system, open the terminal, and enter the following command to view the port opening status of the vpn host: nmap-SC 218. *. *. * The returned result shows that tcp port 1723 is enabled. The corresponding service of this port is pptp. This is an important clue. If you can find a host with tcp port 1723 enabled in 10.152.40. *, it is very likely the Intranet IP address of the VPN! Then, run the following command to check which hosts opened port 1723: nmap-p 1723 10.152.40.0/24. The returned results show that many hosts exist. Of course, A lot of information such as "1723/tcp closed pptp" and "1723/tcp filtered pptp" is displayed. After careful turning over, we finally find the only line: "1723/tcp open pptp "! Copy the Intranet IP address 10.152.40.99. Next, modify the host name or IP address of the destination in the general items in the VPN attribute, replace the copied Intranet IP address 10.152.40.99 with the Internet address starting with 218. After dialing and connecting, I found that my QQ had been lost and I had logged on automatically. However, at this time, I could not go to any webpage, nor could I access the Intranet. I think that QQ can log on to the QQ server. It does not rely on domain name resolution, but directly uses IP addresses to log on to the QQ server. This indicates that the Internet line is connected and the DNS settings are incorrect. Well, set the Internet Protocol attribute in the VPN attribute and specify Google's DNS server 8.8.8.8. Dial again to see, hey, you can browse any web page! This time it took 2 m lines. However, I soon discovered that after such settings, the Intranet cannot be accessed. Enter the following command at the command prompt to check the route table: route print learned from the returned route table that a route is missing. Just add a route: route add 10.0.0.0/8 10.152.64.253 because the author's gateway is 10.152.64.253, while 10.0.0.0/8 is the Intranet. After this route is added, it is found that both the Internet and Intranet are connected, and the routes are no longer dropped. They all go through 2 m lines. The Internet goes out of the VPN 10.152.40.99, and the Intranet goes out from 10.152.64.253, the author no longer needs the k adsl line. Leave it to the people most needed by the branch office. However, I found that there was a problem with the route after the restart, So I typed the following command to add a permanent route: route-p add 10.0.0.0/8 10.152.64.253 so that I don't need to manually add a route every time I start the system. This finds out the essence of the vulnerability, the main Firewall uses the IPSEC-VPN (L2TP mechanism), divided into an intranet IP address, equivalent to the authentication after the Intranet all pass, and then it in the export NAT, there is no limit on which Intranet IP addresses can access the INTERNET through the firewall egress, which leads to my success. Currently, mainstream VPNs are SSL-VPN and can be restricted to port-level (granular) access.