[VPN] Re: PIX VPN - Local LAN Access

Art Vandelay art_vandelay at mac.com
Fri Mar 7 12:05:01 EST 2003

It is called split-tunneling.  You need to use acl's with nat.  There  
are a couple great tools i have found, one is the output interpreter at  

Also, check the ipsec troubleshooting pages at  

maybe you've seen this stuff already, but hope it helps.


On Thursday, March 6, 2003, at 03:35 PM, John Spanos wrote:

> Hi Folks,
>            I have implemented a Remote Access VPN using a PIX and the  
> Cisco
> VPN Client 3.6.  The only problem I am having is that users can't see  
> their
> local LAN while connected to the VPN.  I know the setting on the client
> needs to be enabled, which I have done but still nothing.  From Cisco's
> limited documentation it appears as though something needs to be  
> configured
> on the PIX as well.  The only reference to this in Cisco documentation  
> is
> regarding the VPN Concentrator and explains how to do it using the GUI  
> Tools
> of the Concentrator.  The only problem is that I don't know how to do  
> it
> using the command line on the PIX.
> As the VPN is in production, I don't want to mess too much with it so  
> this
> is why I am looking for anyone who has done this to point me in the  
> right
> direction.  Is 'Allowing Local LAN Access' the same as split  
> tunnelling.  If
> it is, then can I allow using an ACL and deny statements.  The  
> documentation
> says that you should put access-list permits for networks that should  
> have
> encrypted traffic sent to them, but then all other traffic may flow
> unencrypted, which is against company policy.  If I put specific deny
> statements then can I allow unencrypted traffic ONLY to a specific  
> network?
> If anyone could shed some light on this issue I would be very  
> appreciative.
> Thanks.
> John Spanos.
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list