Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow Local LAN access - not working

Windows98 client using 3.5.1 VPN client software connecting to PIX501 (6.2 and PDM v.2) connects securely and can log into NT domain and connect to shares etc. All hunky dory. However....

I have ticked the VPN client dialogue box to allow Local LAN Access, but this shows up as disabled when connected, so the remote office user can't even browse the Internet through his local router or even print to a local printer.

Anyone any ideas??

cheers

Steve

3 REPLIES
New Member

Re: Allow Local LAN access - not working

you have to put a split tunnel setup in your vpn configure in PIX.

example:

ip local pool vpn 192.168.2.1-192.168.2.254

access-list vpnclientsplit permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list vpnclientsplit permit ip 10.10.2.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list vpnclientsplit permit ip 10.10.3.0 255.255.255.0 192.168.2.0 255.255.255.0

vpngroup vpn split-tunnel vpnclientsplit

David

New Member

Re: Allow Local LAN access - not working

Many thanks David for the reply.

Still a little confused - so to make it clearer -

Remote office network is on local subnet 192.168.0.0 connecting to Pix and main office subnet of 192.168.1.0 (the VPNpool is 192.168.2.0)

Does the 10.10.1.0 etc in your example refer to the remote LAN/'s?

My config would be:

access-list vpnclientsplit permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

This is ok for clients on a LAN, but what about single users on a dial-up to their ISP to the VPN?

sorry for the hassle

Steve

New Member

Re: Allow Local LAN access - not working

Steve,

You need to make sure Split Tunnelling is enabled on your VPNGROUP on your PIX. Cfg should look something like this:

vpngroup groupname split-tunnel aclname

aclname will be an ACL on your pix with permits to the networks you want encrypted/tunnelled. So, all traffic NOT matching this ACL will go out the users home local router.

Hope that helps

Rich

138
Views
0
Helpful
3
Replies
CreatePlease to create content