Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco VPN printing problem

Posted on 2009-02-18
14
Medium Priority
?
1,462 Views
Last Modified: 2012-05-06
I am working with my notebook (Win XP) on a customer's network. The notebook and the printers have IPs on diffirent subnet/vlan. I have created a tcp/ip-port and installed a printer on my machine. Now, I am able to print directly to the printer.

To access my company's network we use the Cisco VPN Client (v5.0.00.0340), I have configured the client to "Allow local LAN Access". The instance I connect to my company's network (to access e.g. my exchange mail), I cannot print to or ping the printer anymore.
The above setup has worked flawlessly at other customers with a one-subnet or at home.

I collegue said to me that it's impossible to route to through to another subnet using Cisco's VPN, because the client thing the subnet is NOT a local LAN.

Does anyone know's a solution I can implement on my notebook so I can print when I am connected to my company's LAN?


0
Comment
Question by:Sontec
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 80 total points
ID: 23669029
The settings for split tunneling are enabled in your company's VPN server (PIX, ASA, or concentrator).  Checking the box in the client does nothing if the VPN server is not configured to allow split tunneling.
0
 

Author Comment

by:Sontec
ID: 23669522
I think all the settings are in place, because when I use the same VPN settings at home, I am able to print to my networked printer. Also I was able to print on internal printers  from customers using e.g. 10.0.0.0/16. I was thinking of using some virtual network adapter , but haven't found the software to create one...
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 23670414
Traceroute to the problem printer.  Post the output.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 3

Expert Comment

by:ciscoguy69
ID: 23671325
Do the same networks (subnets) exist on both the local client network and what is mapped for the tunnel? Can you paste the output of a route print from your machine?  
0
 
LVL 9

Expert Comment

by:Donboo
ID: 23671662
Did you only configure the client or did you also configure the VPN server to allow local LAN? if not then you need to, to allow local LAN.
0
 

Author Comment

by:Sontec
ID: 23679041
DonBoo: Allow Access to Local LAN is enabled and working at other locations (like at home).
RPPreacher and Ciscoguy69: Don't know if the same subnet exist behind the VPN conection, but that shouldn't be a problem (I think this is a local problem). I attached a tracerts and route prints of my notebook  with and without a VPN-connection.

These are the used IPs and submasks addresses used:
Customer's network IP: 172.16.64.19       submask: 255.255.254.0
My corporate VPN IP: 161.90.103.141      submask: 255.255.248.0
Customer's Printer's IP: 172.16.7.43         submask: 255.255.255.0

Like stated earlier, the Cisco client probably sees the printer-networks as a non local network.
Tracert-and-Route.pdf
0
 
LVL 9

Assisted Solution

by:Donboo
Donboo earned 80 total points
ID: 23679242
Sorry about that was tired when I replied to the post and didnt see that it worked from other locations.

But yes you are right that the client dosn´t  see the printer network as LOCAL LAN as the LOCAL LAN is from 172.16.64.1-172.16.65.254 so the printer IP isnt included and thats the reason it dosnt work.

To work around this you need to configure Splittunnel however the disadvantage is that the client is opening a security risk to the remote network because it is bypassing the secure gateway that would secure the remote network's infrastructure and thus making it accessible through the non-secured public network.
0
 
LVL 3

Assisted Solution

by:ciscoguy69
ciscoguy69 earned 80 total points
ID: 23681657
Ok, here is what appears to be happening. Your company is doing split tunneling but only allowing Local LAN access. So when you are at home, you are able to print because you are on the same subnet as your printer, same thing as access at most of your clients. The issue here is that the printer is not on the same subnet so it is falling under the default route which tosses it back to your company to connect. Since your company cannot pass the traffic back to the customer's network, it fails. You can have your admins exclude the subnet from the tunnel and it should work. You can also try setting a route on your client by doing "route add 172.16.7.0 MASK 255.255.255.0 172.16.64.2" from a command prompt in windows.
0
 

Author Comment

by:Sontec
ID: 23689344
I work for a very big company and the VPN is used by thousands colleagues worldwide, so my chances of having the network department change the VPN configuration less than zero.
Also using "route add" doesn't work. The Cisco client is somehow blokking the route-table.

When using the VPN on Vmware on the same notebook I can just print from my notebook. Vmware is using some virtual NICs so, I was thinking of installing some virtual NIC, but I haven't found  one.
Also using a second (real) NIC on my notebook should work to access the local network when the VPN is up on the first NIC.... (i think).
I have to check this on monday....
0
 
LVL 9

Expert Comment

by:Donboo
ID: 23690954
Splittunneling is not the same as LOCAL LAN therefore a add route will not work. The added network is still not outside the encryption domain and thus will be encrypted and have a new destination IP (IP address of the VPN gateway) before route decisions are made on your PC.

Using a 2nd NIC on the same host that has the VPN client enabled will still not work as the VPN client is embedded in the tcp/IP stack and intercepts all incomming packets. If it works its a bug since it will pose a security risk for the remote VPN network that is not wanted.
0
 
LVL 3

Expert Comment

by:ciscoguy69
ID: 23691773
Donboo is right, the second NIC should not work. The route add was a theory that I personally have never tested, I was just looking to give you a possible option outside of having you have the network guys modify the crypto. Donboo is not entirely correct when it comes to the split tunneling statement as there is a way to set split tunneling on the ASA with an exemption of 0.0.0.0 which allows Local LAN but I think he may be specifically talking about the setting in the client which is not the same. Ultimately your company's tunnel is set to tunnel all traffic with Local LAN traffic being the only exception through split tunnel. So to print, you will need to be on the same subnet as the printer. I hate to be the bearer of bad news but the only way to change that would be to get with the admins of the VPN.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 23699487
I guess its a matter of opinions on how you see the 2 things.

LOCAL LAN tunnels all except a variable network whereas Splittunnel only tunnel defined network/networks so I tend to look at it like 2 different things even if its the same function in use.
0
 

Author Comment

by:Sontec
ID: 23744639
I haven't been able to check with a second  network cards yet. My old (Xircom) PCMCIA network is not supported within Windows XP. So I have to by another card somewhere ...
0
 

Accepted Solution

by:
Sontec earned 0 total points
ID: 24149860
After letting the problem rest, it suddenly hit me! Yes the printers and servers are one another vlan so I could not print when my Cisco client has a connection (even if local lan access has been enabled). But we have about 10 PC's in the same vlan, so I decided to
1.  install the printer as a local TCP/IP on one of the PC's' and share this printer.
From my notebook I connected to this "printserver" (Start --> Run --> \\PC-name) and  installed the printer.  
2. Upon request (pc/laptop are in different domain) I  provided  the local administrator & password of the PC and checked "Save password".
Know all my collegues can print while using their VPN. This is afcourse not a real sollution but acceptable.
 

 
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
It is a real story and is one of my scariest tech experiences. Most users think that IT experts like us know how to fix all computer problems. However, if there is a time constraint and you MUST not fail the task or you will lose your job, a simple …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question