smarque1
asked on
Acessing LAN when Using Cisco VPN dialer 4
Hello I cannot access my network printer or any other LAN resources, I cannot even ping them when Im connected through the vpn to our corprate network. Is there any way to work around this or a hack to disable the firewall? I have local lan access checked off it shows disabled in the statistics page though. Any thoughts or suggestion you have would be appreciated. - thanks
ASKER
- Thanks for the reply here is the following information based on your reply that I have:
I beleive we connect to a VPN Concentrator it is a static ip address.
I am am on a broadband connection (Roadrunner cable) behind a linksys 4 port swith/router which has the other machines with printers etc that I want to access
I am an end user
my local lan subnet starts with 192.168.1.1 and subnet mask is 255.255.255.0 on VPN my ip is assigned to 10.1.128.xxx with subnet mask 255.255.240.0
Cisco vpn clinet 4.0 (rel)
authentication: group authentication
transport: enable tranparent tunnelining is checked off can connect via ipsec over udp (nat/pat) or ipcec over tcp prt 80 both work; local lan access is checked of but shows disabled in the statistics view when connected.
Here are the firewall rules listed in the dialer
FORWARD INBOUND SRC ADDRESS XXX.XXX.XXX.XXX/32 DST ADDRESS 192.168.1.102/32 PROTO 17 SRC PORT 500 DST PORT 500
FORWARD OUTBOUND SRC ADDRESS 192.168.1.102/32 DST ADDRESS XXX.XXX.XXX.XXX/32 PROTO 17 SRC PORT 500 DST PORT 500
FORWARD INBOUND SRC ADDRESS XXX.XXX.XXX.XXX/32 DST ADDRESS 192.168.1.102/32 PROTO 50 SRC PORT ANY DST PORT ANY
FORWARD OUTBOUND SRC ADRESSS 192.168.1.102/32 DST ADDRESS XXX.XXX.XXX.XXX/32 PROTO 50 SRC PORT ANY DST PORT ANY
FORWARD INBOUND SRC ADDRESS ANY DST ADDRESS 10.1.128.121/32 PROT0 ANY SRC PORT N/A DST PORT N/A
FORWARD OUTBOUND SRC ADDRESS 10.1.128.121/32 DST ADDRESS ANY PROTO ANY SRC PORT N/A DST PORT N/A
DROP INBOUND SRC ADDRESS ANY DST ADDRESS LOCAL PROTO 17 SRC PORT 69 DST PORT ANY
DROP OUTBOUND SRC ADDRESS LOCAL DST ADDRESS ANY PROT0 17 SRC PORT ANY DST PORT 69
FORWARD OUTBOUND SRC ADDRESS LOCAL DST ADRESS ANY PROTO ANY SRC PORT N/A DST PORT N/A
DROP INBOUND SRC ADDRESS ANY DST ADDRESS LOCAL PROTO ANY SRC PORT N/A DST PORT N/A
DROP OUTBOUND SRC ADDRESS LOCAL DST ADDRESS ANY PROTO ANY SRC PORT N/A DST PORT N/A
- thanks for your help
I beleive we connect to a VPN Concentrator it is a static ip address.
I am am on a broadband connection (Roadrunner cable) behind a linksys 4 port swith/router which has the other machines with printers etc that I want to access
I am an end user
my local lan subnet starts with 192.168.1.1 and subnet mask is 255.255.255.0 on VPN my ip is assigned to 10.1.128.xxx with subnet mask 255.255.240.0
Cisco vpn clinet 4.0 (rel)
authentication: group authentication
transport: enable tranparent tunnelining is checked off can connect via ipsec over udp (nat/pat) or ipcec over tcp prt 80 both work; local lan access is checked of but shows disabled in the statistics view when connected.
Here are the firewall rules listed in the dialer
FORWARD INBOUND SRC ADDRESS XXX.XXX.XXX.XXX/32 DST ADDRESS 192.168.1.102/32 PROTO 17 SRC PORT 500 DST PORT 500
FORWARD OUTBOUND SRC ADDRESS 192.168.1.102/32 DST ADDRESS XXX.XXX.XXX.XXX/32 PROTO 17 SRC PORT 500 DST PORT 500
FORWARD INBOUND SRC ADDRESS XXX.XXX.XXX.XXX/32 DST ADDRESS 192.168.1.102/32 PROTO 50 SRC PORT ANY DST PORT ANY
FORWARD OUTBOUND SRC ADRESSS 192.168.1.102/32 DST ADDRESS XXX.XXX.XXX.XXX/32 PROTO 50 SRC PORT ANY DST PORT ANY
FORWARD INBOUND SRC ADDRESS ANY DST ADDRESS 10.1.128.121/32 PROT0 ANY SRC PORT N/A DST PORT N/A
FORWARD OUTBOUND SRC ADDRESS 10.1.128.121/32 DST ADDRESS ANY PROTO ANY SRC PORT N/A DST PORT N/A
DROP INBOUND SRC ADDRESS ANY DST ADDRESS LOCAL PROTO 17 SRC PORT 69 DST PORT ANY
DROP OUTBOUND SRC ADDRESS LOCAL DST ADDRESS ANY PROT0 17 SRC PORT ANY DST PORT 69
FORWARD OUTBOUND SRC ADDRESS LOCAL DST ADRESS ANY PROTO ANY SRC PORT N/A DST PORT N/A
DROP INBOUND SRC ADDRESS ANY DST ADDRESS LOCAL PROTO ANY SRC PORT N/A DST PORT N/A
DROP OUTBOUND SRC ADDRESS LOCAL DST ADDRESS ANY PROTO ANY SRC PORT N/A DST PORT N/A
- thanks for your help
It sounds to me like you are trying to "split tunnel". Access both the network you are VPN'ing into and your local network. This is possible but inadvisable in most situations and is therefore a setting on the VPN server that overrides your client setting.
You could change that setting if you manage the VPN but you would want to ensure that you were properly protected from the Internet within both LAN's.
As it sits now, when you VPN in, you effectively unplug yourself from the network you are physically on and plug into the remote one.
Kent
You could change that setting if you manage the VPN but you would want to ensure that you were properly protected from the Internet within both LAN's.
As it sits now, when you VPN in, you effectively unplug yourself from the network you are physically on and plug into the remote one.
Kent
ASKER
Understood. Is there an way to forward the ports that are blocked to my printer on my lan? All I want to do is access my network printer which has a static ip of 192.168.1.105.
- thanks
- thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you still working on this? Do you need more help? Can you close this question?
I have a work around for this.
If you have access to the internet while on your VPN and you have a public IP address on your local router you can forward a tcp port to the local IP address of your print server. I use an intel netport express 10 and have tcp port 515 forwarded to the print server's address. I then setup a printer which prints to my network's public IP address. It works great whether I'm on the VPN or not. I only occasionally forget to change my printer while at the office so I come home to find my print jobs. I've used this solution for over a year now with no problems.
If you have access to the internet while on your VPN and you have a public IP address on your local router you can forward a tcp port to the local IP address of your print server. I use an intel netport express 10 and have tcp port 515 forwarded to the print server's address. I then setup a printer which prints to my network's public IP address. It works great whether I'm on the VPN or not. I only occasionally forget to change my printer while at the office so I come home to find my print jobs. I've used this solution for over a year now with no problems.
What are you connecting to at the corporate end? PIX FW? VPN Concentrator? Router?
Are you on a broadband connection going through a router?
Are you an end-user only, or do you have control of both sides and are trying to get this set up to work?
Is your local lan the same IP subnet as the private IP subnet at corporate? example, your local lan IP subnet is 192.168.1.0 and so is the private lan on the corporate side?