09-11-2006 10:11 AM - edited 02-21-2020 01:10 AM
Remote users using Cisco VPN 4.2 connect successfully to a Cisco Pix 515 (ver. 6.3). The client is configured to allow Transparent Tunneling and Local Lan access, but once connected to the Pix, these two options are disabled. What configuration changes are required on the Pix to enable these options? Any assistance will be greatly appreciated.
Mike Bowyer
09-13-2006 08:12 AM
Hi Mike,
I think you have to specify the Split-Tunnel Policy for Easy VPN-Clients on PIX.
But be carefull - split tunnel on client is only allowed for traffic on interfaces terminating the VPN-Tunnel. If the client has a second interface you can't use it while the vpn-tunnel is active.
Carsten
09-18-2006 06:20 AM
Carsten,
These are the configuration settings currently on the firewall in question:
access-list acl_vpn permit ip 10.x.x.x 255.x.x.0 192.168.x.0 255.255.x.x
ip local pool vpn-pool 192.168.x.x-192.168.x.x
vpngroup salesvpn address-pool vpn-pool
vpngroup salesvpn split-tunnel acl_vpn
Am I missing something else?
Thank you,
Mike
09-18-2006 09:56 AM
Hi Mike,
I'm doing this with VPN3000 at our location but there should be no big difference. As far as I can see the configuration you used should send traffic to 10.x.x.x into the IPSec-tunnel - all other traffic which is send from the interface terminating the IPSec-Tunnel on the client-side should bypass the IPSec-tunnel.
Carsten
09-18-2006 12:47 PM
Carsten,
Yes, this the desired configuration, all traffic to 10.x.x.x encrypted, all other traffic (web surfing, etc) bypasses the tunnel. Is this why the "Local LAN Access" and "Transparent Tunneling" are disabled once the connection is made, even though they are configured on the client to be enabled? If we remove the split tunnel (all traffic encrypted), will that enable Local Lan Access and Transparent Tunneling?
Thanks,
Mike
09-18-2006 01:21 PM
Hi Mike,
"Transparent Tunneling" and "Local Lan Access" are two different things. "Transparent Tunneling" is dealing with establishing an IPSec Tunnel even if a NAT device is between your client and the VPN-Headend-Device. "Local LAN Access" is dealing with access to devices in the LAN your VPN-Client-Device is connected to.
What do you mean exactly with "disabled once the connection is made" ?
You can check the local LAN Access by having a look at the Route-Table of the VPN-Client:
Right Click the yellow VPN-lock Icon in System-Tray while the VPN-Connection is active and select "Statistics ...". Have a look at the second register page "route details".
Are any local LAN routes displayed when your are connected ?
And - always remember two important restrictions the Online Help of the VPN-Client is mentioning:
1: This feature works only on one NIC card, the same NIC card as the tunnel.
2: While connected, you cannot print or browse the local LAN by name; when disconnected, you can print and browse by name.
Carsten
PS: Removing Split Tunnel won't enable local LAN access as all traffic would be sent into the IPSec tunnel.
09-19-2006 05:55 PM
Carsten,
The end users are all sales personnel. When they connect to the home office, they have a sales database on the home office LAN that they want to synchronize their local (pc)data. The database vendor has told them that they need "transparent tunneling" and "local lan" enabled for the sync to happen. On the remote client, under Tunneling tab, both the "Enable Transparent Tunneling (IPSec over UDP)" and "Allow Local LAN Access" options are selected. However, once the user establishes the VPN tunnel to the office, viewing the Tunnel Details tab of the Statistics page lists Transparent Tunneling as "Inactive" and Local LAN as "Disabled". All access to home office LAN resources (E-mail, shared network drives, etc) functions as expected. However, the databases won't sync. The vendor has identifited these two option as critical to the sync process and therefore as stopped further technical support until these two options are "enabled".
I guess my real questions is this:
What would cause the Transparent Tunneling and Allow Local LAN client options to be ignored/nullified?
Thanks for your continued assistance,
Mike
09-20-2006 12:21 AM
Mike,
my understanding is that transparent tunneling is negotiated when the VPN-tunnel is established. I would explain is as following: The Client tries the setup a normal IPSec Tunnel and if this fails it switches to transparent tunneling and encapsulates IPSec in UDP or TCP packets. But - if there is no need for encapsulating IPSec in UDP or TCP as no NAT devices is between VPN client and PIX transparent tunneling is not active. In other words the option "Transparent Tunneling" in VPN client isn't a fixed rule it enables a fallback.
If access to other home office LAN resources is working fine transparent tunneling is working. If just the database won't sync my assumption is that the application tries to access the database by name (which is not working as the online help of the VPN client explains) - try to switch the database application to access the database by IP-adress.
Carsten
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide