Cisco VPN client, local LAN access and second NIC

Cisco VPN client, local LAN access and second NIC

NewsGroups | Search | Tools

General Cisco Forum - Cisco Systems - Hardware Software and Security News and Discussions 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Cisco VPN client, local LAN access and second NIC Diego Balgera 03-04-2008
If you were  Registered and logged in, you could reply and use other advanced thread options
Posted by Diego Balgera on March 4, 2008, 4:53 am
Hi,

my question is about the "local lan access" using the Cisco VPN client.

When I establish the VPN, all the traffic is injected in the IPSec VPN.
Checking the VPN client status (Status / statistics) I see that:
- in "tunnel details", the local LAN is disabled (nothing changes if I
enable the "allow local LAN access" in the VPN client profile, as it is
overwritten by the VPN gateway administrator)
- in "route details", the whole traffic is secured (no local lan routes
and 0.0.0.0/0.0.0.0 in the secured routes)

However, I do need to access some resources locally and changing the
configuration of the VPN gateway (allow the local LAN and add local lan
routes) is unfortunately not an option :-((

Referring to the VPN client documentation, it states: "this feature
(local LAN access) works only on one NIC card, the same NIC card as the
tunnel". So I added a second NIC and configured the routing to the local
resources via this second NIC but no way: when the VPN is established
via the primary card still the access to local resources is prevented. I
see that the routing table is correct and - when I initiate the traffic
- only the arp entry appears showing that the local resource is being
contacted via the second card but no IP traffic is initiated on that
path ... :-(

Do you know a possible solution / workaround to access the local
resources in this scenario, by using a second NIC card or with whatever
else solution?

Thank you in advance!
Best regards.
Diego.

Posted by Brian V on March 4, 2008, 7:45 am

> Hi,
> my question is about the "local lan access" using the Cisco VPN client.
> When I establish the VPN, all the traffic is injected in the IPSec VPN.
> Checking the VPN client status (Status / statistics) I see that:
> - in "tunnel details", the local LAN is disabled (nothing changes if I
> enable the "allow local LAN access" in the VPN client profile, as it is
> overwritten by the VPN gateway administrator)
> - in "route details", the whole traffic is secured (no local lan routes
> and 0.0.0.0/0.0.0.0 in the secured routes)
> However, I do need to access some resources locally and changing the
> configuration of the VPN gateway (allow the local LAN and add local lan
> routes) is unfortunately not an option :-((
> Referring to the VPN client documentation, it states: "this feature
> (local LAN access) works only on one NIC card, the same NIC card as the
> tunnel". So I added a second NIC and configured the routing to the local
> resources via this second NIC but no way: when the VPN is established
> via the primary card still the access to local resources is prevented. I
> see that the routing table is correct and - when I initiate the traffic
> - only the arp entry appears showing that the local resource is being
> contacted via the second card but no IP traffic is initiated on that
> path ... :-(
> Do you know a possible solution / workaround to access the local
> resources in this scenario, by using a second NIC card or with whatever
> else solution?
> Thank you in advance!
> Best regards.
> Diego.

Go to your IT department and plead your case as to why you need this
ability. If they determine that the need out-weighs the security risk then
they can make the appropriate adjustments on the VPN server or simply place
you in another VPN group.


Posted by moncho on March 14, 2008, 11:49 am
Diego Balgera wrote:
> Hi,
>
> my question is about the "local lan access" using the Cisco VPN client.
>
> When I establish the VPN, all the traffic is injected in the IPSec VPN.
> Checking the VPN client status (Status / statistics) I see that:
> - in "tunnel details", the local LAN is disabled (nothing changes if I
> enable the "allow local LAN access" in the VPN client profile, as it is
> overwritten by the VPN gateway administrator)
> - in "route details", the whole traffic is secured (no local lan routes
> and 0.0.0.0/0.0.0.0 in the secured routes)
>
> However, I do need to access some resources locally and changing the
> configuration of the VPN gateway (allow the local LAN and add local lan
> routes) is unfortunately not an option :-((
>
> Referring to the VPN client documentation, it states: "this feature
> (local LAN access) works only on one NIC card, the same NIC card as the
> tunnel". So I added a second NIC and configured the routing to the local
> resources via this second NIC but no way: when the VPN is established
> via the primary card still the access to local resources is prevented. I
> see that the routing table is correct and - when I initiate the traffic
> - only the arp entry appears showing that the local resource is being
> contacted via the second card but no IP traffic is initiated on that
> path ... :-(
>
> Do you know a possible solution / workaround to access the local
> resources in this scenario, by using a second NIC card or with whatever
> else solution?
>

Accessing the LAN and VPN at the same time is known as split-tunneling.

I believe, by default Cisco products turn this on by default.

Either way, as Brian V explained, give your IT department a buzz
and see if they will allow this functionality.

moncho

Similar ThreadsPosted
Setup split tunnel to allow access to local lan using cisco vpn client February 7, 2005, 8:20 am
PIX 506e - Configuring VPN Client Remote Access only using local DB without any external radius or tacas server November 30, 2006, 5:30 am
Local Lan Access on Windows Cisco VPN Version 5.0.00.0340 July 11, 2007, 12:48 pm
Cisco 506e - remote-access vpn, split tunnel, client has no internet access. November 28, 2006, 11:12 am
Cisco VPN Client - client-LAN access for headquarter April 1, 2009, 5:19 am
local is slower to access ? June 19, 2005, 12:21 pm
Local Lan Access not working July 26, 2005, 4:23 pm
Local LAN access - not working February 28, 2006, 1:41 pm
PIX 501 - Can not access local resources November 14, 2006, 9:13 pm
Pix 501 and Local Network / Router Access July 6, 2005, 3:30 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map