[VPN] Re: PIX VPN - Local LAN Access

shannong shannong at texas.net
Sun Mar 9 11:56:29 EST 2003

When you say local LAN, do you mean machines on the same subnet or other
subnets on that LAN?

Either way, you problem will probably be solved by the use of
split-tunneling.  It tells the Cisco client what should be sent over the
tunnel.  Only traffic defined in the split-tunnel will traverse the VPN.
Therefore, clients will access all other resources "locally".

Define an ACL on your Pix to identify what should be accessed over the
tunnel.  In this example, only traffic to hosts on the
network will use the tunnel. All other traffic will use the local LAN
and configured default gateway of the client:

Access-list split permit ip any

Now we apply to a VPN group called "ucf36":

vpngroup ucf36 split-tunnel split 

You can verify this in the statistics tab of the VPN client when
connected. Rather than having with a key in front, you'll see
the networks you defined in the access-list.

-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
Behalf Of John Spanos
Sent: Thursday, March 06, 2003 5:35 PM
Subject: [VPN] Re: PIX VPN - Local LAN Access

Hi Folks,
           I have implemented a Remote Access VPN using a PIX and the
VPN Client 3.6.  The only problem I am having is that users can't see
local LAN while connected to the VPN.  I know the setting on the client
needs to be enabled, which I have done but still nothing.  From Cisco's
limited documentation it appears as though something needs to be
on the PIX as well.  The only reference to this in Cisco documentation
regarding the VPN Concentrator and explains how to do it using the GUI
of the Concentrator.  The only problem is that I don't know how to do it
using the command line on the PIX.

As the VPN is in production, I don't want to mess too much with it so
is why I am looking for anyone who has done this to point me in the
direction.  Is 'Allowing Local LAN Access' the same as split tunnelling.
it is, then can I allow using an ACL and deny statements.  The
says that you should put access-list permits for networks that should
encrypted traffic sent to them, but then all other traffic may flow
unencrypted, which is against company policy.  If I put specific deny
statements then can I allow unencrypted traffic ONLY to a specific
If anyone could shed some light on this issue I would be very


John Spanos.

VPN mailing list
VPN at lists.shmoo.com

More information about the VPN mailing list