?
Solved

Connect through Cisco VPN without losing local LAN connections (Linux RedHat 9 + Cisco Systems VPN Client Version 4.6.02)

Posted on 2005-04-22
6
Medium Priority
?
865 Views
Last Modified: 2010-04-12
I have installed the Cisco Systems VPN Client Version 4.6.02 (0030) on my RedHat Linux 9 box, and it works very well. Except that, while the VPN is connected, the RedHat box disappears off my LAN.

As my normal way of working is to ssh into the Linux box from the machine on my desk, this is very inconvenient!

The LAN is connected to the Internet through a ZyXel ADSL NAT router, if that makes any difference.

Out of interest, I also installed the Cisco VPN client on my Windows XP machine, and that had exactly the same effect.

I assume the VPN is directing al network traffic out through the VPN, rather than routing local traffic locally, and only VPN traffic remotely. But I'm not sure where to start to correct this (or even if the Cisco client allows it to be corrected).

Thanks in advance,

Nikki Locke
0
Comment
Question by:nikkilocke
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 375 total points
ID: 13841984
The Cisco VPN client has an embedded firewall that is active whenever the client is active. There is another option that you can enable the firewall always. "Stateful Firewall always on" is either checked or unchecked by the user to change the behavior while the VPN is not connected. Once connected, you have no control over this behavior.
There is another option to "allow local LAN access" that is controlled by the server end. Even though there is a check box for this on the client, it doesn't do anything. However, local LAN access means that the client can print, map drives to servers, get email, etc, but cannot share out files or printers or anything like that while connectd.

This is a security "feature" of the Cisco VPN solution, and one reason that it is so successful.
Just think of the ramifications of your VPN users' PC can be used as a tunnel into your corporate network.
0
 
LVL 2

Author Comment

by:nikkilocke
ID: 13842011
I am the poor VPN user!

I don't want to tunnel into the network, I want to access _MY_ local LAN, at the _CLIENT_ end.

Otherwise I will have to attach a keyboard and screen to my Linux box, find a desk to put them on, and move over to work on that desk whenever I want to be connected to the VPN.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13842048
>I am the poor VPN user!
I understand, but you have to remember what the product was designed for - security of the corporate ass(etts).
Just as you have viable reasons for wanting to access the PC while it is connected, if it was possible, then it would also be just as easy for other poor VPN users to exploit it, perhaps not even knowingly.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 2

Author Comment

by:nikkilocke
ID: 13842637
What if I add another network card to the Linux box - will that other card still work to connect to the LAN?
Or is that prevented somehow as well?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13842719
I doubt that will work, either. The VPN client uses a Deterministic Network Enhancer layer that works between the application layer and the hardware.
0
 
LVL 2

Author Comment

by:nikkilocke
ID: 13842835
I thought the Deterministic Network Enhancer layer was for Windows only. Am I wrong?

I am connecting my Linux box to the VPN.

P.S. Thanks for the replies - you will obviously get the points when I close the question, even though it is not the answer I want to hear :-)
Unless someone comes along who does have the answer I want to hear, of course. Then you'll just get a share!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question