Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

access local LAN whle VPN'd into another LAN???

Status
Not open for further replies.
126rjp

126rjp

MIS
Nov 6, 2003
7
0
0
US
PLease don't laugh at my question, I am still new to the cisco world... Is it possible to access a local LAN, and its resources, while being connected to another LAN via VPN and accessing those resources?

Here is the background, I have an executive who has a small network in his house... a server he uses for storage, a networked printer he shares with the 5 pc's he has throughout his house, and a dsl connection to the internet, (which he is going to be changing to a cable modem in the near future).
We have a PIX 515 (ver 6.33) in the office, which has VPN enable, with IAS on a w2k server... everyone who uses the vpn is ok with it(everyone uses Cisco client 3.51 or 4), except that the exec is unable to print at home when he is connected via the vpn. He is also unable to access any of the pc's in his house along with his server.

Is there any way to allow him access to our network, via vpn and still allow him access to his local network at home? (right now most importantly printing)
 
Sort by date Sort by votes
We've been wanting to do this as well. I've researched it before and you need a cisco Concentrator which if i read it right replaces the pix and allows for local lan access and stuff. I had many discussions with my boss about this and he kept saying we don't need it but every document i read on cisco.com says you do. They are very pricey but i believe its the only way to do it.
 
Upvote 0 Downvote
"A" solution is to install a real VPN gateway at his home:
- a little pix501
- checkpoint
- or another hardware like little VPN/router like zyxel,nergear,bewan,3com,... cheaper than pix and works fine for this use ;)
 
Upvote 0 Downvote
The way I got round this is to enable split tunneling on the client and configure the ipsec netowrks on the Pix.

Basically you just tell the clients what networks they should encrypt to and what they shouldn't. The reason the you can't get local access is because the local traffic is being shoved down the VPN tunnel and getting dropped at the termination point. Depending on how you configure this you can give remote users access to everything on the internet/local LAN through normal methods and only send traffic to your main network down the VPN. Would this be an acceptable solution to the problem?

On the PDM the encrypted network entries are in:

Configuration>VPN>Remote Access>Cisco VPN Client>Edit the VPN Pool>Select Manage Split Tunneling

Or the more direct route:

access-list splitTunnelAclname permit ip 10.10.20.0 255.255.255.0 any
access-list splitTunnelAclname permit ip 10.10.25.0 255.255.255.0 any
access-list splitTunnelAclname permit ip 10.10.30.0 255.255.255.0 any
access-list splitTunnelAclname permit ip 193.62.83.0 255.255.255.0 any
vpngroup (pool name) split-tunnel (splitTunnelAclname)

Hope this helps

 
Upvote 0 Downvote
Hi,

I am trying to set up IAS, having some problems. I noticed you were running IAS also. I am wondering if I can put my IAS server on the inside network, same as my inside DNS. CCO seems to have it on the DMZ. Any examples would help. Thanks. Thanks for the post about split tunneling, now I understand it better.
 
Upvote 0 Downvote
swj38 is on the right track, PIX's can only do split tunneling, so you need to define what is on the VPN via the access-list.. Then it will permit access to the local resources because it knows its no behind the VPN..


BuckWeet
 
Upvote 0 Downvote
Can't you just tick the box in the cisco vpn client software that says "Allow local LAN access"? In the properties of the connection? Or does that only work when connecting to the concentrators?

Sorry, we use both, and i'm not sure when i've enabled it in the past ...
 
Upvote 0 Downvote
i think the box that says "Allow local LAN access" only works if you are using the concetrators
 
Upvote 0 Downvote
I know this post is rather late, but I have been having similar problems. In our case we are using VPN to connect to one of our clients networks. We have no control over the network at the other end, and I doubt we could influence them to make any changes.

That said, we are running 3.5.1 client and some users can print to our local net while connected and others cannot. One user in particular I have been able to get working by adding an entry to the network config on the local workstation for one of our WINS servers. The user is running Win2k. Another user has the same basic config and can print sometimes, but not always. I have been unable to get a user running XP to print at all. I have tried changing entries for WINS as well as adding a static route to the local machine with no joy.

As an added note, both networks are using a 10.x.x.x addressing scheme with some overlapping addresses. The workstations and printers in question, do not appear to overlap though.

JLB
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
291
Shmid
Shmid
markd885
  • Locked
  • Question
PAC file redirect web page to another gateway
Replies
0
Views
67
markd885
markd885
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
70
ChrisHirst
ChrisHirst
shmideo
  • Locked
  • Question
How to set up a wireless LAN on X5 interface TZ500
Replies
1
Views
78
shmideo
shmideo
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
71
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top