[VPN] Re: PIX VPN - Local LAN Access

Art Vandelay art_vandelay at mac.com
Fri Mar 7 12:05:01 EST 2003 

It is called split-tunneling.  You need to use acl's with nat.  There  
are a couple great tools i have found, one is the output interpreter at  
https://www.cisco.com/cgi-bin/Support/OutputInterpreter/ 
home.pl?style=small&ref_url=http://www.cisco.com/en/US/partner/ 
products/sw/iosswrel/ps1828/products_tech_note09186a008010750a.shtml

Also, check the ipsec troubleshooting pages at  
http://www.cisco.com/en/US/tech/tk583/tk372/ 
tech_configuration_examples_list.html

maybe you've seen this stuff already, but hope it helps.

Ben

On Thursday, March 6, 2003, at 03:35 PM, John Spanos wrote:

> Hi Folks,
>            I have implemented a Remote Access VPN using a PIX and the  
> Cisco
> VPN Client 3.6.  The only problem I am having is that users can't see  
> their
> local LAN while connected to the VPN.  I know the setting on the client
> needs to be enabled, which I have done but still nothing.  From Cisco's
> limited documentation it appears as though something needs to be  
> configured
> on the PIX as well.  The only reference to this in Cisco documentation  
> is
> regarding the VPN Concentrator and explains how to do it using the GUI  
> Tools
> of the Concentrator.  The only problem is that I don't know how to do  
> it
> using the command line on the PIX.
>
> As the VPN is in production, I don't want to mess too much with it so  
> this
> is why I am looking for anyone who has done this to point me in the  
> right
> direction.  Is 'Allowing Local LAN Access' the same as split  
> tunnelling.  If
> it is, then can I allow using an ACL and deny statements.  The  
> documentation
> says that you should put access-list permits for networks that should  
> have
> encrypted traffic sent to them, but then all other traffic may flow
> unencrypted, which is against company policy.  If I put specific deny
> statements then can I allow unencrypted traffic ONLY to a specific  
> network?
> If anyone could shed some light on this issue I would be very  
> appreciative.
>
> Thanks.
>
> John Spanos.
>
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>

More information about the VPN mailing list