[VPN] PIX VPN - Local LAN Access

John Spanos john.spanos at adacel.com
Mon Mar 10 22:00:15 EST 2003


I began this post a few days ago....

The information people sent to me was not what I was looking for.
Recapping:

I need to be able to allow VPN clients unencrypted access to, and ONLY to,
their local LAN.  Assuming that all users have the same internal IP
addressing scheme at home then how can I do this?  The only way I thought
would be to list every network EXCEPT their local LAN network in an ACL -
e.g.

1.0.0.0 255.0.0.0
2.0.0.0 255.0.0.0
.
.
.
.
.
.
.
.
200.0.0 255.0.0.0
.
.
.
.
etc.

You would exclude the Local LAN network and include this ACL in a vpngroupo
split-tunnel command.  Is there an easier way to do this on the PIX?  There
is definately an easy way to do this on a Concentrator.

Cheers.

John Spanos

-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com]On
Behalf Of John Spanos
Sent: Friday, March 07, 2003 10:35 AM
To: VPN
Subject: [VPN] Re: PIX VPN - Local LAN Access


Hi Folks,
           I have implemented a Remote Access VPN using a PIX and the Cisco
VPN Client 3.6.  The only problem I am having is that users can't see their
local LAN while connected to the VPN.  I know the setting on the client
needs to be enabled, which I have done but still nothing.  From Cisco's
limited documentation it appears as though something needs to be configured
on the PIX as well.  The only reference to this in Cisco documentation is
regarding the VPN Concentrator and explains how to do it using the GUI Tools
of the Concentrator.  The only problem is that I don't know how to do it
using the command line on the PIX.

As the VPN is in production, I don't want to mess too much with it so this
is why I am looking for anyone who has done this to point me in the right
direction.  Is 'Allowing Local LAN Access' the same as split tunnelling.  If
it is, then can I allow using an ACL and deny statements.  The documentation
says that you should put access-list permits for networks that should have
encrypted traffic sent to them, but then all other traffic may flow
unencrypted, which is against company policy.  If I put specific deny
statements then can I allow unencrypted traffic ONLY to a specific network?
If anyone could shed some light on this issue I would be very appreciative.

Thanks.

John Spanos.


_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn




More information about the VPN mailing list