Link to home
Start Free TrialLog in
Avatar of Diego Balgera
Diego BalgeraFlag for Italy

asked on

Cisco VPN client and allow local LAN access


my question is about the "local lan access" using the Cisco VPN client.

When I establish the VPN, all the traffic is injected in the IPSec VPN. Checking the VPN client status (Status / statistics) I see that:
- in "tunnel details", the local LAN is disabled (nothing changes if I enable the "allow local LAN access" in the VPN client profile, as it is overwritten by the VPN gateway administrator)
- in "route details", the whole traffic is secured (no local lan routes and in the secured routes)

However, I do need to access some resources locally and changing the configuration of the VPN gateway (allow the local LAN and add local lan routes) is unfortunately not an option :-((

Referring to the VPN client documentation, it states: "this feature (local LAN access) works only on one NIC card, the same NIC card as the tunnel". So I added a second NIC and configured the routing to the local resources via this second NIC but no way: when the VPN is established via the primary card still the access to local resources is prevented. I see that the routing table is correct and - when I initiate the traffic - only the arp entry appears showing that the local resource is being contacted via the second card but no IP traffic is initiated on that path ... :-(

Do you know a possible solution / workaround to access the local resources in this scenario, by using a second NIC card or with whatever else solution?

Thank you in advance!
Best regards.
Avatar of 2PiFL
Flag of United States of America image

This has to be enabled on the vpn server - there are no work arounds that I know of.
Avatar of Michael Worsham
2PiFL comment is correct. This setting is configured on the VPN server/concentrator.

The 'allow local LAN access' is also commonly referred to as split tunneling, as it allows you to have a VPN connection to the remote site as well as browse your internal network where you are located and access the Internet.

Avatar of Diego Balgera


Hi 2PiFL and mwecomputers,
thank you for your answers, first.

So, looks like there isn't anything to do. I raised this question because the Cisco documentation states that this feature (allow / disallow LAN local access, split tunneling) works on a single card, the one used to establish the tunnel. So I wrote to ask if someone knows if there is the possibility to access the local resources with a second network card (according to the documentation, the expected behaviour is quite vague for this).
But if the split tunnel block will prevent the access to local resources also for a second card with no possibility to configure it, I have to find another solution ... But before considering a totally different alternative, any idea?

Thank you again.
Avatar of Diego Balgera
Diego Balgera
Flag of Italy image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Can the remote site explore my local ressources if the "Allow local LAN access" is checked?
Hi Bluberi,
>>> Can the remote site explore my local resources if the "Allow local LAN access" is checked?
Unfortunately not. The "allow local LAN access" is enabled but overwritten by the configuration in the GW concentrator, so it doesn't take effect.
I'm still looking for a solution to overcome this aspect, maybe using a second network card to access the local resources.
Thank you for your answer.
Avatar of sberube

comment to mwecomputers.  Here is a quote from your statement
"The 'allow local LAN access' is also commonly referred to as split tunneling... allows [browsing] local and access the internet."

Actually, Cisco does specify that using this feature is NOT the same thing as allowing split tunneling.  However many network admins do not make the distinction and do not know it is possible to both restrict a user to only access Internet from the corporate VPN while allowing printing locally:
From the CISCO documentation:
"This configuration allows VPN Clients secure access to corporate resources via IPsec and still gives the client the ability to carry out activities like printing... This is not a configuration for split tunneling, where the client has unencrypted access to the Internet while connected to the VPN Concentrator"
Refer to

Unfortunately, as stated, network admins do not make the distinction and confuse the "Allow Local LAN Access" option with ONLY split tunneling, and rush to take it out.  This is really frustrating for end-users who only wish to print information needed for work and found on the corporate network.
Because, as earlier stated, once network admins take out the functionality on the VPN server, it cannot be bypassed.
The best work around is to install a virtual PC and connect to the VPN from it.  I have been doing this for years.  Within the virtual PC you are locked down, however, you can toggle out to your main desktop at anytime and still have full internet access.  You have to have to virtual PC local and use the virtual PC's viewer (not RDP or VNC which rely on TCP/IP) since you will not be able to talk to the virtual PC on the local network.  I do this now and even RDP into systems across the VPN.  Sometimes I am 3 or 4 levels deep.  I know it is a bit of a hassle and might be confusing but it gets you where you want with relative ease.

Have Fun!
I would have 2 questions if I might:
- With a virtual PC, can you print a document accessible only through VPN?
- Can we also print an email in Outlook while connected to VPN? My corporate Outlook works only on VPN