Cisco 5505 VPN & Local access

Posted on 2011-09-12
Last Modified: 2012-05-12
Have a Cisco 5505 router attached to our network. Users can currently log in and have access to our network via the VPN connections. They just log into a machine we have set up for remote access.

Is there a way that the users can access their resources while hooked on through the VPN?
We have the "Allow local access" box checked on the client, but it doesn't give the users the access they need (data & print).

Another wish is for the user to log in ... run a local app but send the print output to a printer on our network via the VPN.

Is this bridging of networks doable via a VPN link? If so, how?

Thanx ...

Ming ...

Question by:gmpon
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 18

Expert Comment

by:Garry Glendown
ID: 36524265
Check the routing on the client - most likely you're not using "split tunneling", which means once the VPN tunnel is up, you have the default route ( sent through the tunnel. Change the settings in the VPN profile for the appropriate profile to just use certain networks or IPs (LAN) for the tunnel, keeping the rest of the network left to the users' connection instead of your firewall ...
LVL 57

Expert Comment

by:Pete Long
ID: 36525134

Author Comment

ID: 36525170
Went into the ASA configuration ... Under Remote Access, Group Policies, Advanced, Split Tunnelling ...

Changed the policy to "Tunnel All Networks" ...

User still can't see his network ... he also indicates that even with the "allow access" checked, the status shows up as disabled.

I'm still not fully knowledgable as to what all the options under split tunnelling are:

Policy: I've changed it to Tunnel All networks, ideally, it would be only be a specific network I'm looking at ...

Network list: can be either capo, capi or split ... I have it set to split currently. Is there something I have to set under the 'Manage' button?

Intercept DHCP Configuration message from M/S clients:
currently set to inherit .. don't know where it's inheriting from ... but I could always uncheck and specify the actions I want here ... options under here are 'yes', 'no' and subnet mask.

Thanx ...

Ming ...

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

LVL 18

Expert Comment

by:Garry Glendown
ID: 36525315
"Tunnel all networks" is the opposite of what you want ...

Go to Remote Access VPN, Network (Client) Access, Group Policies,
then edit the group used for your users. Under advanced, go to Split tunneling.
Policy: Tunnel Network Liste Below
Network List: <some list of local networks> (click "Manage" if you didn't define it earlier)

That way, only the subnets configured should be routed through the VPN ...

Author Comment

ID: 36528613
Think I may have it .. yesterday's testing gave the user access to his network, but cut off access to mine ...

Changes made and we'll be testing this morning again ....

Where I goofed up was following the instructions in the link to the letter when I should have applied some common sense and looked at what was already there ... I generated a second split ACL with only the outside network listed ... However, I already had a split ACL which listed my DMZ, internal and external lines ... So this morning, I just added the ACE (external network) to the already existing split ACL.

Assuming this works .. my next question then is ... is it possible to add an entry so that all external networks are covered? I added the ACE to cover this one user. Can I add a 192.168.*.* somehow to cover any person coming in via the VPN?

Thanx ...

Ming ...

LVL 35

Expert Comment

by:Ernie Beek
ID: 36528755
Just change the mask to /16. So you get

Author Comment

ID: 36532007
OK ... Not working the way we envision it ...

Have the following:

The policy is set to "List Below"

The network list is set to "split"

1 -
2 - dmz-network/24
3 - inside-network/24
4 - are the addresses in our internal network.

The user can connect through the VPN. .. thay have full acces to our devices (did a print this morning via an IP address).

When they try to run a local app talking a server on their side ... it can't find their server. Their logging into the VPN seems to upset their IP's ...

What are we missing here to permit the user to talk to both our network and their network?

Thanx ...

Ming ...

LVL 18

Expert Comment

by:Garry Glendown
ID: 36532040
You do know that the subnet covers all IP networks from through, so you transport the user's LAN through to your site ...
change to:

and you should be good

Author Comment

ID: 36532806
OK .. now I'm confused ... I was aware of the range covered ... maybe I'm mistaken as to how it's applied within the router ....

Correct me if I'm wrong ... If I add the ... the data path is to try to redirect anything in that range to my site?... so I should not use that range in my ACE listing?

Isn't that the same as saying if I don't add their IP's ( to or any range that includes their IP's .. there shouldn't be an issue?

It appears to me we should just remove that entry so there's no need for redirection through the router of any kind. The app they're running is all local to them .. nothing to do with me, except for the redirect to an IP on my side for the printing ...

I see what you're saying ... maybe somewhere along the line our testing got muddled up ....

originally, they said they couldn't see our printer when they hooked on to the VPN. Then when I added the split, they said they could see the printer but couldn't see their own network. So one of these statements must be incorrect ...

Back to the drawing board ...

Ming ...
LVL 18

Accepted Solution

Garry Glendown earned 500 total points
ID: 36534138
- for the split tunneling, add all ONLY the IPs or networks from YOUR END that are supposed to be available ON THE VPN. It's sort of like defining static routes for your VPN users which they activate when the VPN comes up
- on the client side, setting the option "allow local lan access" shouldn't hurt (though from personal experience, I've not needed it yet - seems to work without it)

Once the VPN is up, with split tunneling or without, access lists/policies may come into the play, but they do not affect the routing of your client machines towards your network

Author Closing Comment

ID: 36538232
After many gyrations ... the truth came out as to what we really needed.

Split tunnelling wasn't actually needed ... and the source of our problems was an IP conflict between their network and our DMZ ...

Thanx ...

Ming ...

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month11 days, 14 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question