[VPN] PIX VPN - Local LAN Access

Dana J. Dawson djdawso at qwest.com
Fri Mar 14 11:21:54 EST 2003 

I'd be inclined to try this, assuming the local LAN is 192.168.1.0/24:

   access-list SPLIT deny   ip 192.168.1.0 255.255.255.0 any
   access-list SPLIT permit ip any any

   vpngroup MYGROUP split-tunnel SPLIT

Since the access-list defines just the networks that will use the 
tunnel, I'd expect that denying only the local subnet and permitting 
everything else would do what you want.  This will also cause 
Internet-bound traffic to be needlessly encrypted, since the PIX won't 
send it back out it's outside interface, but maybe you can live with 
that.  If this doesn't work, then I think you're out of options (aside 
from deploying a 3000 concentrator instead, obviously).

Good luck!

Dana

-- 

Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."


John Spanos wrote:
> I began this post a few days ago....
> 
> The information people sent to me was not what I was looking for.
> Recapping:
> 
> I need to be able to allow VPN clients unencrypted access to, and ONLY to,
> their local LAN.  Assuming that all users have the same internal IP
> addressing scheme at home then how can I do this?  The only way I thought
> would be to list every network EXCEPT their local LAN network in an ACL -
> e.g.
> 
> 1.0.0.0 255.0.0.0
> 2.0.0.0 255.0.0.0
> .
> .
> .
> .
> .
> .
> .
> .
> 200.0.0 255.0.0.0
> .
> .
> .
> .
> etc.
> 
> You would exclude the Local LAN network and include this ACL in a vpngroupo
> split-tunnel command.  Is there an easier way to do this on the PIX?  There
> is definately an easy way to do this on a Concentrator.
> 
> Cheers.
> 
> John Spanos
> 
> -----Original Message-----
> From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com]On
> Behalf Of John Spanos
> Sent: Friday, March 07, 2003 10:35 AM
> To: VPN
> Subject: [VPN] Re: PIX VPN - Local LAN Access
> 
> 
> Hi Folks,
>            I have implemented a Remote Access VPN using a PIX and the Cisco
> VPN Client 3.6.  The only problem I am having is that users can't see their
> local LAN while connected to the VPN.  I know the setting on the client
> needs to be enabled, which I have done but still nothing.  From Cisco's
> limited documentation it appears as though something needs to be configured
> on the PIX as well.  The only reference to this in Cisco documentation is
> regarding the VPN Concentrator and explains how to do it using the GUI Tools
> of the Concentrator.  The only problem is that I don't know how to do it
> using the command line on the PIX.
> 
> As the VPN is in production, I don't want to mess too much with it so this
> is why I am looking for anyone who has done this to point me in the right
> direction.  Is 'Allowing Local LAN Access' the same as split tunnelling.  If
> it is, then can I allow using an ACL and deny statements.  The documentation
> says that you should put access-list permits for networks that should have
> encrypted traffic sent to them, but then all other traffic may flow
> unencrypted, which is against company policy.  If I put specific deny
> statements then can I allow unencrypted traffic ONLY to a specific network?
> If anyone could shed some light on this issue I would be very appreciative.
> 
> Thanks.
> 
> John Spanos.
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
> 
>

More information about the VPN mailing list