VPN Client -> PIX501 - Allow local LAN only!

stormfidus · ‎01-30-2006

Hi

I know its possible to configure split tunneling on the PIX501, but is it possible to configure, that everything is tunnelled, besides the local lan you are connecting from. That option is available on the VPN3000 Concentrator.

It would be nice to allow access to the local LAN (same subnet only, as pc is connected to), so people can print etc, if printer is on same subnet, as pc is.

Is that somehow possible ?

BR

Claus

amaitre · ‎01-31-2006

Hello Claus,

to do that you have to enable split tunneling on your pix, and add an ACL with a "permit ip any any" statement. This will push a "0.0.0.0 netmask 0.0.0.0" route to your vpn client, so you will be able to connect to your local network and everything else will be tunnelled.

Here's a sample config for PIX6.3(4)

access-list SPLIT_TUNNEL_ACL permit ip 0.0.0.0 0.0.0.0 any

vpngroup VPNGROUP split-tunnel SPLIT_TUNNEL_ACL

hope that helps,

pls rate all posts

Antoine

stormfidus · ‎01-31-2006

Hi Antoine

I've entered the following:

access-list VPN_local_lan permit ip any any

vpngroup ***** split-tunnel VPN_local_lan

But I dont have access to my local LAN.

My Pix is running 6.3(5)

When looking at statistics on the VPN client while connected, I have a 0.0.0.0 0.0.0.0 under Secured routes section, but there is nothing under local lan routes.

Am I missing an access-list allowing traffic from my vpn ip pool to my local lan ?

Im having 192.168.3.0/24 adresses on the inside of the pix.

Im getting 192.168.250/24 adresses provided by the VPN pool.

I have this working access-list allowing me to get access from vpnclient pc to inside lan:

access-list VPN permit ip 192.168.3.0 255.255.255.0 192.168.250.0 255.255.255.0

Any idea on, what is wrong ?

BR

Claus

amaitre · ‎01-31-2006

Hum, it's working for me, I just tested it. What does your remote client's routing table looks like?

if you have Windows, type "route print" in a command window.

you should have a default gateway to yourself in you VPN pool and one or several routes to your local LAN with the gateway set with your local LAN address.

In your VPN client, it's ok if you don't have have anything in you LOCAL LAN routes, this part is used by the VPN concentrator.

I don't see anything wrong in your ACLs.

please provide your client routing table.

pls rate all posts

Antoine

stormfidus · ‎01-31-2006

Hi Antoine

Here is my route tabel:

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.4.33.1 10.4.33.166 10

0.0.0.0 0.0.0.0 192.168.250.12 192.168.250.12 1

10.4.33.0 255.255.255.0 10.4.33.166 10.4.33.166 10

10.4.33.0 255.255.255.0 192.168.250.12 192.168.250.12 1

10.4.33.166 255.255.255.255 127.0.0.1 127.0.0.1 10

10.255.255.255 255.255.255.255 10.4.33.166 10.4.33.166 10

87.49.120.155 255.255.255.255 10.4.33.1 10.4.33.166 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.250.0 255.255.255.0 192.168.250.12 192.168.250.12 10

192.168.250.12 255.255.255.255 127.0.0.1 127.0.0.1 10

192.168.250.255 255.255.255.255 192.168.250.12 192.168.250.12 10

193.88.41.72 255.255.255.255 10.4.33.1 10.4.33.166 1

224.0.0.0 240.0.0.0 10.4.33.166 10.4.33.166 10

224.0.0.0 240.0.0.0 192.168.250.12 192.168.250.12 1

255.255.255.255 255.255.255.255 10.4.33.166 2 1

255.255.255.255 255.255.255.255 10.4.33.166 10.4.33.166 1

255.255.255.255 255.255.255.255 192.168.250.12 192.168.250.12 1

Default Gateway: 192.168.250.12

===========================================================================

It seemes correct, doesent it ?

BR

Claus