Allow local print from VPN clients connected to a PIX 6.3

proxel · ‎03-07-2007

Hi all, I have a PIX 6.3 with a certain number of VPN clients within an Intranet cloud.

While the VPN is on, the clients are unable to print locally.

If I enable the "local LAN access", in the client statistics I still see it as disabled.

I'm in trouble to turn on the split tunneling on the PIX because the clients must pass through the PIX in order to surf Internet: in other words I shouldn't enable split tunneling for certain destinations, but rather for everyting else the local LAN.

Thank for any help

Stefano

Kamal Malhotra · ‎03-07-2007

Hi Stefano,

Did you establish a new connection after checking the "local LAN access" option? If not then you will need to because this option is only applicable for a new VPN connection.

HTH,

Please rate if it helps.

Regards,

Kamal

proxel · ‎03-07-2007

Hi Kamal,

thank for your answer.

I disconnected the VPN and then connected again, but it didn't work.

Is this what you meened?

Stefano

kaachary · ‎03-07-2007

Hi,

"Allow Local LAN access" is not supposed to work this way.

As you have mentioned the clients should traverse the FW for their Internet access, so I assume, you have a PIX FW running code 7.X.

On PIX, you have an option of enabling split tunneling with "excludespecified" option.You have to use that.

*****Don't worry, the Internet traffic would still go through the tunnel, only the Local LAN traffic would not enter the tunnel.

E.G. your VPN client's Local LAN (printer n/w) is on 10.1.1.0/24.

Create an ACL :

access-list nosplit standard permit 10.1.1.0 255.255.255.0

Go to Group policy :

group-policy vpnclient attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value split

exit

Ocourse, "Allow Local LAN access" should be checked on the client.

this is the only way it works, if you do not want split tunnel.

*Please rate if helped.

-Kanishka

kaachary · ‎03-07-2007

Just noticed you have a PIX 6.3. This will not work with a PIX 6.X code.

YOu need to either upgrade it or use split tunnel.

-Kanishka

ggilbert · ‎03-07-2007

Stefano -

Sorry to give you the bad news but "Local LAN access" will be available only if you do split-tunneling. On the 6.3 version of code, there isnt any option to say - "Exclude networks from tunneling"

In the 7.x version of code, there is an option to do that.

Hope this helps to answer your question.

Rate it, if it helps!!

Thanks

Gilbert

l.tating · ‎06-25-2007

Hi Gilbert,

Just read the thread, because I also ran into this problem. Im trying hard to make ra vpn client to PIX 6.3. Do you mean to say the "split-tunnel" option in the vpngroup command does not do the function of "allow local LAN access"? Im quite confused with this. Is there any bug release about this problem? I tried to find any incompatibility of the vpn client software with PIX 6.3 code but I did not find any. Hope you can help me clear my mind on this. Thanks!

Regards,

Lorenz

kaachary · ‎06-26-2007

Hi Lorenz,

Enabling split tunnel will take care of "Allow local lan access" . You will run into the problem of not being able to access the local LAN, only when split tunnel is disabled.

PIX 7.x and concentrators have an option to exclude the Local LAN from the tunnel. PIX 6.X doesnt have this functionality, so the only option is to enable split tunnel.

PIX 6.X doesnt have any incompatibility with VPN client. It will work perfectly fine, if the configuration is correct.

I hope this helps.

-Kanishka

James.Ren · ‎06-26-2007

Dear Stefano,

As you mentioned, you would hope to tunnel most of the local lan traffic through VPN but keep a certain amount of traffic destined to your printer within your local lan, why not exempt the printing traffic from the VPN interesting traffic in the first place?

Hope it helps.

Cheers,

James