[VPN] Re: PIX VPN - Local LAN Access

shannong shannong at texas.net
Sun Mar 9 11:56:29 EST 2003


When you say local LAN, do you mean machines on the same subnet or other
subnets on that LAN?

Either way, you problem will probably be solved by the use of
split-tunneling.  It tells the Cisco client what should be sent over the
tunnel.  Only traffic defined in the split-tunnel will traverse the VPN.
Therefore, clients will access all other resources "locally".

Define an ACL on your Pix to identify what should be accessed over the
tunnel.  In this example, only traffic to hosts on the 10.1.1.0/24
network will use the tunnel. All other traffic will use the local LAN
and configured default gateway of the client:

Access-list split permit ip 10.1.1.0 255.255.255.0 any

Now we apply to a VPN group called "ucf36":

vpngroup ucf36 split-tunnel split 

You can verify this in the statistics tab of the VPN client when
connected. Rather than having 0.0.0.0 with a key in front, you'll see
the networks you defined in the access-list.

-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
Behalf Of John Spanos
Sent: Thursday, March 06, 2003 5:35 PM
To: VPN
Subject: [VPN] Re: PIX VPN - Local LAN Access

Hi Folks,
           I have implemented a Remote Access VPN using a PIX and the
Cisco
VPN Client 3.6.  The only problem I am having is that users can't see
their
local LAN while connected to the VPN.  I know the setting on the client
needs to be enabled, which I have done but still nothing.  From Cisco's
limited documentation it appears as though something needs to be
configured
on the PIX as well.  The only reference to this in Cisco documentation
is
regarding the VPN Concentrator and explains how to do it using the GUI
Tools
of the Concentrator.  The only problem is that I don't know how to do it
using the command line on the PIX.

As the VPN is in production, I don't want to mess too much with it so
this
is why I am looking for anyone who has done this to point me in the
right
direction.  Is 'Allowing Local LAN Access' the same as split tunnelling.
If
it is, then can I allow using an ACL and deny statements.  The
documentation
says that you should put access-list permits for networks that should
have
encrypted traffic sent to them, but then all other traffic may flow
unencrypted, which is against company policy.  If I put specific deny
statements then can I allow unencrypted traffic ONLY to a specific
network?
If anyone could shed some light on this issue I would be very
appreciative.

Thanks.

John Spanos.


_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn






More information about the VPN mailing list