Guest

Cisco VPN 3000 Series Concentrators

Allow Local LAN Access for VPN Clients on the VPN 3000 Concentrator Configuration Example

Cisco - Allow Local LAN Access for VPN Clients on the VPN 3000 Concentrator Configuration Example

Document ID: 70775

Updated: Nov 14, 2007

   Print

Introduction

This document provides step-by-step instructions on how to allow VPN Clients to only access their local LAN while tunneled into a VPN 3000 Series Concentrator. This configuration allows VPN Clients secure access to corporate resources via IPsec and still gives the client the ability to carry out activities like printing wherever the client is located. If it is permitted, traffic destined for the Internet is still tunneled to the VPN Concentrator.

Note: This is not a configuration for split tunneling, where the client has unencrypted access to the Internet while connected to the VPN Concentrator. Refer to Split Tunneling for VPN Clients on the VPN 3000 Concentrator Configuration Example for information on how to configure split tunneling on the VPN 3000 Series Concentrators.

Prerequisites

Requirements

This document assumes that a working remote access VPN configuration already exists on the VPN Concentrator. Refer to the IPsec with VPN Client to VPN 3000 Concentrator Configuration Example if one is not already configured.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco VPN 3000 Concentrator Series Software version 4.7.2.H

  • Cisco VPN Client version 4.0.5

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram

The VPN Client is located on a typical SOHO network and connects across the Internet to the main office.

local-lan-3k-1.gif

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Unlinke a classic split tunneling scenario in which all Internet traffic is sent unencrypted, enabling local LAN access for VPN Clients permits those clients to communicate unencrypted with only devices on the network on which they are located. For example, a VPN Client who is allowed local LAN access while connected to the VPN Concentrator from home is able to print to their own printer, but not access the Internet without first sending the traffic over the tunnel.

A network list is used in order to allow local LAN access in much the same way that split tunneling is configured on the VPN Concentrator. However, instead of defining which networks should be encrypted, the network list in this case defines which networks should not be encrypted. Moreover, unlike the split tunneling scenario, the actual networks in the list do not need to be known. Instead, the VPN Concentrator supplies a default network of 0.0.0.0/0.0.0.0 which is understood to mean the local LAN of the VPN Client.

Note: When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. However, you can browse or print by IP address. See the Troubleshooting section of this document for more information as well as workarounds for this situation.

Configure Local LAN Access for VPN Clients

Complete these two tasks in order to allow VPN Clients access to their local LAN while connected to the VPN Concentrator:

Configure the VPN Concentrator

Complete these steps on the VPN Concentrator in order to allow VPN Clients to have local LAN access while connected:

  1. Choose Configuration > Policy Management > Traffic Management > Network Lists.

    local-lan-3k-2.gif

  2. Verify that the VPN Client Local LAN (Default) list is present and click Modify to verify that the default network of 0.0.0.0/0.0.0.0 is present.

    Alternatively, you can type in a new network address and wildcard mask in order to define the network at this point. Click Apply when you are done.

    local-lan-3k-3.gif

  3. Once you confirm that the network list is present, you must assign it to a tunnel group. Choose Configuration > User Management > Groups, select the group you wish to change, and click Modify Group.

    local-lan-3k-4.gif

  4. Select the Client Config tab of the group that you have chosen to modify.

    local-lan-3k-5.gif

  5. Scroll down to the sections labeled Split Tunneling Policy and Split Tunneling Network List.

  6. Check Allow the networks in the list to bypass the tunnel. Then, select the list from step 1 in the drop-down.

    In this case it is VPN Client Local LAN (Default). The Inherit? checkboxes are automatically emptied in both cases.

    local-lan-3k-6.gif

  7. Click Apply when you are done.

Configure the VPN Client

Complete these steps in the VPN Client in order to allow the client to have local LAN access while connected to the VPN Concentrator.

  1. Choose your existing connection entry and click Modify.

    local-lan-3k-7.gif

  2. Go to the Transport tab and check Allow Local LAN Access. Click Save when you are done.

    local-lan-3k-8.gif

Verify

Follow the steps in these sections in order to verify your configuration.

Connect with the VPN Client

Connect your VPN Client to the VPN Concentrator in order to verify your configuration.

  1. Choose your connection entry from the list and click Connect.

    local-lan-3k-9.gif

  2. Enter your credentials.

    local-lan-3k-10.gif

  3. Choose Status > Statistics... in order to display the Tunnel Details window where you can inspect the particulars of the tunnel and see traffic flowing.

    local-lan-3k-11.gif

  4. Go to the Route Details tab in order to see which routes the VPN Client still has local access to.

    In this example, the VPN Client is allowed local LAN access to 192.168.0.0/24 while all other traffic is encrypted and sent across the tunnel.

    local-lan-3k-12.gif

View the VPN Client Log

When you examine the VPN Client log, you can determine whether or not the parameter that allows local LAN access is set. In order to view the log, go to the Log tab in the VPN Client. Then click on Log Settings in order to adjust what is logged. In this example, IKE and IPsec are set to 3- High while all other log elements are set to 1 - Low.

local-lan-3k-13.gif

Cisco Systems VPN Client Version 4.0.5 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      16:22:08.214  07/19/06  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with 172.22.1.106.


!--- Output is supressed.


26     16:22:39.338  07/19/06  Sev=Info/5	IKE/0x6300005D
Client sending a firewall request to concentrator

27     16:22:39.338  07/19/06  Sev=Info/5	IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client, 
Capability= (Centralized Protection Policy).

28     16:22:39.338  07/19/06  Sev=Info/5	IKE/0x6300005C
Firewall Policy: Product=Cisco Intrusion Prevention Security Agent, 
Capability= (Are you There?).

29     16:22:39.348  07/19/06  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 172.22.1.106

30     16:22:39.348  07/19/06  Sev=Info/6	IKE/0x63000054
Sent a keepalive on the IPSec SA

31     16:22:40.200  07/19/06  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 172.22.1.106

32     16:22:40.200  07/19/06  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 172.22.1.106

33     16:22:40.200  07/19/06  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.0.1.50

34     16:22:40.200  07/19/06  Sev=Info/5	IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

35     16:22:40.200  07/19/06  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

36     16:22:40.200  07/19/06  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

37     16:22:40.210  07/19/06  Sev=Info/5	IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, 
Inc./VPN 3000 Concentrator Version 4.7.2.H built by vmurphy on Jun 29 2006 20:21:56

!--- Local LAN access is permitted and the local LAN defined.

38     16:22:40.230  07/19/06  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_INCLUDE_LOCAL_LAN (# of local_nets), 
value = 0x00000001

39     16:22:40.230  07/19/06  Sev=Info/5	IKE/0x6300000F
LOCAL_NET #1
	subnet = 192.168.0.0 
	mask = 255.255.255.0
	protocol = 0
	src port = 0
	dest port=0

40     16:22:40.230  07/19/06  Sev=Info/5	IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194


!--- Output is supressed.

Test Local LAN Access with Ping

An additional way to test that the VPN Client still has local LAN access while tunneled to the VPN Concentrator is to use the ping command at the Windows command line. The local LAN of the VPN Client is 192.168.0.0/24 and another host is present on the network with an IP address of 192.168.0.3.

C:\>ping 192.168.0.3
Pinging 192.168.0.3 with 32 bytes of data:

Reply from 192.168.0.3: bytes=32 time<1ms TTL=255
Reply from 192.168.0.3: bytes=32 time<1ms TTL=255
Reply from 192.168.0.3: bytes=32 time<1ms TTL=255
Reply from 192.168.0.3: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.0.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

View Sessions on the Concentrator

You can also view the session(s) on the VPN Concentrator in order to verify that the tunnel is up.

  1. Choose Monitoring > Sessions in order to see active sessions on the VPN Concentrator.

    local-lan-3k-14.gif

  2. Scroll down to see more information about connected sessions.

    local-lan-3k-15.gif

Troubleshoot

Refer to IPsec with VPN Client to VPN 3000 Concentrator Configuration Example - Troubleshooting for general information on troubleshooting this configuration.

Unable to Print or Browse by Name

When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. There are two options available to work around this situation:

  • Browse or print by IP address.

    • In order to browse, instead of using the syntax \\sharename, use the syntax \\x.x.x.x where x.x.x.x is the IP address of the host computer.

    • In order to print, change the properties for the network printer to use an IP address instead of a name. For example, instead of the syntax \\sharename\printername, use \\x.x.x.x\printername, where x.x.x.x is an IP address.

  • Create or modify the VPN Client LMHOSTS file. An LMHOSTS file on a Windows PC allows you to create static mappings between hostnames and IP addresses. For example, an LMHOSTS file might look like this:

    192.168.0.3 SERVER1
    192.168.0.4 SERVER2
    192.168.0.5 SERVER3

    In Windows XP Professional Edition, the LMHOSTS file is located in %SystemRoot%\System32\Drivers\Etc. Refer to your Microsoft documentation or Microsoft KB Article 314108 leavingcisco.com for more information.

Related Information

Updated: Nov 14, 2007
Document ID: 70775