heathcote123
asked on
Split Tunnel / Allow local Lan access PIX 501
Could someone please give me a definitive answer (and reasoning, not just YES or NO!) to this:
If I want vpn clients to have access to their local LAN subnet, while connected to the vpn do I have to enable split tunneling, or is ticking the 'allow local lan' checkbox in the client enough.
My thoughts are that split tunneling is only neccesary if the clients need to connect outside of their local subnet while connected to the vpn, but I have a box that is currently thinking otherwise.
TIA
If I want vpn clients to have access to their local LAN subnet, while connected to the vpn do I have to enable split tunneling, or is ticking the 'allow local lan' checkbox in the client enough.
My thoughts are that split tunneling is only neccesary if the clients need to connect outside of their local subnet while connected to the vpn, but I have a box that is currently thinking otherwise.
TIA
> If I want vpn clients to have access to their local LAN subnet, while connected to the vpn do I have to enable split tunneling, or is ticking the 'allow local lan' checkbox in the client enough.
If you want them to have access to the local network then ticking this box is all you need.
>My thoughts are that split tunneling is only neccesary if the clients need to connect outside of their local subnet while connected to the vpn, but I have a box that is currently thinking otherwise.
You are correct.
If you want them to have access to the local network then ticking this box is all you need.
>My thoughts are that split tunneling is only neccesary if the clients need to connect outside of their local subnet while connected to the vpn, but I have a box that is currently thinking otherwise.
You are correct.
I believe the statefull firewall is always enabled. I haven't seen a situation where it can be turned off.
ASKER
grblades - I meant the stateful firewall on the client software with the on/off tickbox- sorry for the confusion.
Any idea why I might not be able to access the local lan with the client connected?
Its really odd - I have 2 pix's configured almost identically - neither have split tunnel enabled. When I connect to one I can access my local lan, when I connect to the other I cant. My local lan is not a conflicting subnet with the remote lans and the only other difference I can see is one is software ver 6.3(4) and one is 6.3.(5)
I'm obviously ticking 'allow local lan access' on both connections.
I'm confused !
:)
Any idea why I might not be able to access the local lan with the client connected?
Its really odd - I have 2 pix's configured almost identically - neither have split tunnel enabled. When I connect to one I can access my local lan, when I connect to the other I cant. My local lan is not a conflicting subnet with the remote lans and the only other difference I can see is one is software ver 6.3(4) and one is 6.3.(5)
I'm obviously ticking 'allow local lan access' on both connections.
I'm confused !
:)
"allow local lan access" I believe is for data to traverse to vpn client's LAN...not HQ. I believe this makes the vpn client act as a bridge to allow devices @ HQ to communicate with devices on far end LAN.
As for split tunnelling...it's used to allow differentiating between interesting traffic and normal internet traffic. I would say that you need to really take a hard look at both pix's acl's....please post them here.
cheers.
rc
As for split tunnelling...it's used to allow differentiating between interesting traffic and normal internet traffic. I would say that you need to really take a hard look at both pix's acl's....please post them here.
cheers.
rc
ASKER
Apologies for incorrect info - made a mistake with this - you could not access the local lan when connected to either vpn.
It seems the 'allow local lan' has no effect unless it is configured on the firewall by use of a split tunnel.
After lots of searching, I found I had to create a split tunnel using just the remote lan & local lan using:
access-list locallan permit IP any any
access-list locallan deny ip 192.168.7.0 255.255.255.0 any
vpngroup vpnusers split-tunnel locallan
This has the effect of forcing the client so send all traffic to the VPN, with the exception of 192.168.7.0, which it sends out locally.
This has almost the desired effect - a client connecting from 192.168.7.x can access both remote & local lan, and cannot make any connections to the internet -
However - if for example, a terminal services session is started to outside the local lan BEFORE the connection is made, the vpn client doesnt kill it, it only kills new connections.
Any ideas?
It seems the 'allow local lan' has no effect unless it is configured on the firewall by use of a split tunnel.
After lots of searching, I found I had to create a split tunnel using just the remote lan & local lan using:
access-list locallan permit IP any any
access-list locallan deny ip 192.168.7.0 255.255.255.0 any
vpngroup vpnusers split-tunnel locallan
This has the effect of forcing the client so send all traffic to the VPN, with the exception of 192.168.7.0, which it sends out locally.
This has almost the desired effect - a client connecting from 192.168.7.x can access both remote & local lan, and cannot make any connections to the internet -
However - if for example, a terminal services session is started to outside the local lan BEFORE the connection is made, the vpn client doesnt kill it, it only kills new connections.
Any ideas?
The order of the ACL statements is important as the first match wins. The order therefore need to be:-
access-list locallan deny ip 192.168.7.0 255.255.255.0 any
access-list locallan permit IP any any
Sorry I dont know about the session problem.
access-list locallan deny ip 192.168.7.0 255.255.255.0 any
access-list locallan permit IP any any
Sorry I dont know about the session problem.
Grblades is partially correct in that the ACL order is very important. That said, you need to take out the
access-list locallan deny ip 10.x.x.x 0.255.255.255 192.168.0.0 0.0.0.255
and add a deny statement to the locallan access-list:
access-list locallan permit IP any any
where 10.x.x.x 0.255.255.255 is the subnet of your corporate LAN
where 192.168.0.0 0.0.0.255 is the subnet of your client dhcp pool that you bind to your "crypto isakmp client configuration group <groupname>"
this will allow normal traffic to route out to the INTERNET and deny interesting traffic to be encapped thru your VPN tunnel
access-list locallan deny ip 10.x.x.x 0.255.255.255 192.168.0.0 0.0.0.255
and add a deny statement to the locallan access-list:
access-list locallan permit IP any any
where 10.x.x.x 0.255.255.255 is the subnet of your corporate LAN
where 192.168.0.0 0.0.0.255 is the subnet of your client dhcp pool that you bind to your "crypto isakmp client configuration group <groupname>"
this will allow normal traffic to route out to the INTERNET and deny interesting traffic to be encapped thru your VPN tunnel
ASKER
this will allow normal traffic to route out to the INTERNET and deny interesting traffic to be encapped thru your VPN tunnel
- thats just it - I dont want split-tunneling to the internet, only to the local lan. A complete split tunnel is easy it seems to be just allowing the local lan that is giving difficulties.
Havent been able to get into the pix tonight, wanted to check theorder as suggested as I've been told some local lan are OK, and others not - think it might be turned off, I'll update as soon as I get a chance.
- thats just it - I dont want split-tunneling to the internet, only to the local lan. A complete split tunnel is easy it seems to be just allowing the local lan that is giving difficulties.
Havent been able to get into the pix tonight, wanted to check theorder as suggested as I've been told some local lan are OK, and others not - think it might be turned off, I'll update as soon as I get a chance.
ASKER
I opened a case with cisco on this, and they tell me the 'allow local lan access' feature is NOT supported on the pix 501.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
and does the 'allow local lan checkbox' do anything at all if the stateful firewall isnt enabled?