Results 1 to 16 of 16

Thread: Cisco VPN client connects, but restricts LAN access even when option is ENABLED...

  1. #1
    heweaver@gmail.com
    Guest

    Cisco VPN client connects, but restricts LAN access even when option is ENABLED...

    Our help desk (about 20 of us) connect to the corporate network from
    our location via the CISCO SYSTEMS VPN CLIENT software version number
    4.0.3(f).

    We DO have ENABLE LAN ACCESS checked, because (being a help desk) we
    need to access local printers, shared network resources, etc.

    However, about 10 or 20 minutes after we connect via VPN client, it
    will cut off our local LAN access. When this happens, if we click on
    START we have to wait about 30 seconds for it to respond. If we click
    on RUN, we have to wait another 30 seconds or so. Just about anything
    we do is bugged by this horrible lagtime that makes us wait for 30
    seconds at a time. When we start experiencing the lag, we can no longer
    access each others computers, shared network drives, network printers,
    NOTHING except the external internet and our intranet sites.

    When we connect, and go to STATUS / STATISTICS, the box that displays
    information about the current connection comes up, and under the
    TRANSPORT section it says:

    Transparant Tunneling: Active on TCP port 10001
    Local LAN: DISABLED
    Compression: NONE

    Also, if we go to the ROUTE DETAILS, the entire lefthand side under
    LOCAL LAN ROUTES is completely empty.


    We have found, that if we open a windows explorer folder of one of our
    network shares, and leave it opened (but minimized) then it isn't very
    likely to drop our LAN access. However, if we close that window, its
    usually within 30 minutes that our LAN access is dropped.

    When we lose that access, we can disconnect our VPN client and
    re-connect, but all of our web applications for the intranet and our
    connection to our lotus notes mail server is terminated, so we have to
    close them all out and re-open them... but this constantly logging on
    or off is hardly an efficient use of our time.

    Since we DO have the option enabled, but once connected the status
    displays DISABLED, would this be some kind of a server group policy
    being pushed down or something?

    If so, what details would I need to provide our network administrators
    to see what can be done to fix this. It's just terribly annoying and a
    waste of our time. Any explanation or advice would be greatly
    appreciated!

    Thanks!


  2. #2
    Junior Member
    Join Date
    Feb 2007
    Posts
    1
    We have a very similar problem though have version 4.8.01.03 of the Cisco Client, and are using IPSec over UDP. Do not have the same lag time issues, but not able to access the local LAN. We are also a support organization, and a 3rd party supplier hosts the VPN for our client. They have told us the VPN is setup to support split tunneling, however unable to access local LAN features. The Allow Local LAN Access is selected, but shows as Disabled in the VPN Statistics window. Possibly there is some IPSec setting that need to be enabled on the client, though on the surface it looks like this Local LAN option would work as described in the Cisco documentation. Was wondering if you were able to make any progress on your issue?

  3. #3
    PROBLEM:

    Even if you have Allow Local LAN Access checked, your administrator can override the value and disable it on you.


    WORKAROUND:

    Assuming your local lan is 192.168.1.0/24 (has IP addresses between 192.168.1.1 and 192.168.1.254), and you have admin rights on your machine, you can modify the routing table!

    You need to do this EVERY TIME YOU CONNECT, as the Cisco client will inject the routes upon each connection.

    This simply deletes the "override" by removing the route map between your local LAN range and the VPN Interface.

    1. Connect to your Cisco VPN server
    2. Go to Status > Statistics > Tunnel Details and Verify that Local LAN Access is "Disabled" under the Transport heading. If it shows Enabled, then you have another issue preventing your access which can't be solved here)

    3. OPEN A COMMAND PROMPT AND TYPE "route delete 192.168.1.0" (without quotes, where 192.168.1.0 is your local LAN)

    4. Try to ping or connect to a local machine to verify success.

    Enjoy!

  4. #4
    Junior Member
    Join Date
    Aug 2007
    Posts
    1

    Similar problem with Aventail VPN

    I realize this topic is for Cisco VPN, but I am having an identical problem with Aventail client. I use Aventail Connect 5.34. My IT department has configured the client with retricted local network access, defined as follows:

    Restricted: Refuse non-directed connections (no local access) Connections to remote resources are redirected to the remote network; all other connections are refused.

    This prevents me from printing to the printer on my LAN etc. without disconnecting from the remote network first. I tried the suggestion above, and entered the following command in a command window:

    >route delete 192.168.1.0

    This gives me the following error msg:
    The route specified was not found.

    a ROUTE PRINT command yields the following:

    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.8 25
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    169.254.0.0 255.255.0.0 192.168.1.8 192.168.1.8 30
    192.168.1.0 255.255.255.0 192.168.1.8 192.168.1.8 25
    192.168.1.8 255.255.255.255 127.0.0.1 127.0.0.1 25
    192.168.1.255 255.255.255.255 192.168.1.8 192.168.1.8 25
    224.0.0.0 240.0.0.0 192.168.1.8 192.168.1.8 25
    255.255.255.255 255.255.255.255 192.168.1.8 2 1
    255.255.255.255 255.255.255.255 192.168.1.8 192.168.1.8 1
    Default Gateway: 192.168.1.1
    ===========================================================================
    Persistent Routes:
    None

    Does the solution for the CISCO also apply to my VPN client? If so, any clues as to what I'm doing wrong?

    Thanks!

  5. #5
    Junior Member
    Join Date
    Jun 2008
    Posts
    1
    Quote Originally Posted by opticalfiber View Post
    PROBLEM:

    Even if you have Allow Local LAN Access checked, your administrator can override the value and disable it on you.


    WORKAROUND:

    Assuming your local lan is 192.168.1.0/24 (has IP addresses between 192.168.1.1 and 192.168.1.254), and you have admin rights on your machine, you can modify the routing table!

    You need to do this EVERY TIME YOU CONNECT, as the Cisco client will inject the routes upon each connection.

    ...

    3. OPEN A COMMAND PROMPT AND TYPE "route delete 192.168.1.0" (without quotes, where 192.168.1.0 is your local LAN)

    4. Try to ping or connect to a local machine to verify success.

    Enjoy!
    I have Cisco VPN Client 5.0.00.0340; i have tried your advice without success; only difference is my local network is 10.0.1.#

    route delete 10.0.1.1

    However, these two entries remain -
    route print ... >
    10.0.1.0 , , , 255.255.255.0 , , , 10.0.1.6 , , , 10.0.1.6 , , , 25
    10.0.1.0 , , , 255.255.255.0 , , , 10.0.1.14 , , , 10.0.1.14 , , , 20

    Can you assist me to troubleshoot?

  6. #6
    Junior Member
    Join Date
    Jun 2009
    Posts
    1

    Local LAN Access

    I had the same problem - I had local LAN access enabled in my cisco router config "include-local-lan" and the "Allow Local LAN Access" check in the Cisco client config.

    I wasn't able to access the Internet etc as a route was added to my local routing table (shown with 'route print'). A default route "0.0.0.0 0.0.0.0" was added pointing to the IP address assigned to my PC by the client, e.g. "0.0.0.0 0.0.0.0 192.168.0.10 192.168.0.10".

    This was effectively trying to route all traffic via the VPN tunnel - local or not.

    To resolve this I created an ACL on the router allowing only certain traffic over the tunnel, e.g.

    "ip access-list extended VPNClientPKI_ACL
    permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255"

    (this permits traffic from the remote network 192.168.10.0 to the network assigned to VPN clients, 192.168.0.0).

    Once I had done this, the default route "0.0.0.0 0.0.0.0" was not added to my routing table anymore, and a route to the remote network was, e.g. "192.168.10.0 255.255.255.0 192.168.0.10 192.168.0.10"

    This was confirmed in the VPN client's Status / Statistics / Route Details / Secured Routes. The ACL I created was there, and the default route was gone, and I was able to access my local LAN and the Internet.

  7. #7
    Junior Member
    Join Date
    Mar 2010
    Posts
    1

    cvpn.bat

    Have fun!

    Code:
    @echo off
    
    REM Adjust the Cisco VPN routes.
    
    set command=%1
    set vpn="C:\Program Files\Cisco Systems\VPN Client\vpnclient.exe"
    set find="%windir%\system32\find.exe"
    set dumas=192.168.123.45
    
    if "%command%"=="start" goto start
    if "%command%"=="stop" goto stop
    if "%command%"=="info" goto info
    if "%command%"=="dump" goto dump
    if "%command%"=="" goto toggle
    
    echo.
    echo Usage: cvpn.bat command
    echo.
    echo Where command is one of:
    echo.
    echo     start   start the Cisco VPN with LJSE.
    echo     stop    stop the VPN.
    echo     info    print some networking info.
    echo.
    goto end
    
    :toggle
    REM Check the state of connection and toggle it.
    %vpn% stat | findstr "Time connected:" > nul
    if not errorlevel 1 (
      echo Connection will be terminated...
      goto stop
    ) else (
      echo Connecting...
      goto start
    )
    goto end
    
    :start
    %vpn% connect foo nocertpwd
    
    route delete 0.0.0.0       mask 0.0.0.0 %dumas%
    route delete 192.168.11.0 mask 255.255.255.0 %dumas%
    
    route add    172.34.0.0    mask 255.255.0.0 %dumas%
    
    goto end
    
    :info
    %vpn% stat
    goto end
    
    :info
    %vpn% dump
    ipconfig
    echo.
    echo.
    echo.
    route print
    goto end
    
    :stop
    %vpn% disconnect
    goto end
    
    :end
    Last edited by marafaka; 03-17-10 at 03:20 AM. Reason: Protect the innocent.

  8. #8
    I used to have so much problems with our VPN in the office. I know that I am just starting my training with CISCO and I hope that one day I can do a lot of things with networking.
    - Sam

  9. #9
    Junior Member
    Join Date
    Jan 2011
    Posts
    1

    Accessing local network printers blocked by Cisco VPN

    PROBLEM
    A Windows 7 PC has been provided by a third party to give access to their VPN using Cisco AnyConnect VPN Client. The local DHCP allocator gives it an address of 10.0.0.15. It can see the local network and access local resources including a network printer at 10.0.0.150. However, when the VPN is fired up, the PC can no longer print to the local network printer and can no longer ping it.

    The Cisco VPN client appears to amend the routing and arp tables to prevent access to the local subnet. This has been discussed on the internet where use of the route command has been recommended to work round these blocks. However, in this installation, the Cisco client also seems to prevent the route command from amending the routing. One ray of sunshine is that there is one local resource remaining visible, which is the DHCP allocator (in our case, the server at 10.0.0.3), which is useful as this is a significant resource which the user wishes to access. Access to other local resources could be provided by adjusting the Cisco setup but that is controlled by a third party unwilling to make the necessary changes.

    SOLUTION
    The router is a netgear DGFV338 which allows me to multihome it by giving it a second IP address of 192.168.1.1. Without making any changes to the routing tables, I can ping that from the 10.0.0.x network.

    I have also adjusted the netgear to forward 192.168.1.150 traffic to 10.0.0.150 and can now ping 192.168.1.150.

    Even with the Cisco VPN client fired up, the PC can now ping and use this printer (the one at 10.0.0.150) as if it were a printer at 192.168.1.150.

  10. #10
    Junior Member
    Join Date
    Apr 2011
    Posts
    2
    Gentlemen,

    I see that's the only forum where this topic is thoroughly discussed.
    I have very similiar issue, and despite changing routing table and reinstalling Cisco VPN client - i still have issues with connection to my LAN.
    my default gateway is: 9.36.216.129 (it allowes internet and access to office printers, etc)
    gateway that VPN overrides is: 192.168.52.82


    1. just in case I have reinstalled Cisco VPN Client (ver 5.0.07.0290) with option not to install stateful firewall:
    Code:
    msiexec.exe /i vpnclient_setup.msi DONTINSTALLFIREWALL=1

    2. after connection - I have tried to mess around with routing tables many different ways.
    A. I have obviously changed default gateway:
    Code:
    route delete 0.0.0.0 
    route add 0.0.0.0 mask 0.0.0.0 9.36.216.129
    then I added routing for dedicated servers on the VPN side using:
    Code:
    route add 139.53.213.0 mask 255.255.255.0 192.168.52.82
    as a result: I could access dedicated servers at 139.53.213.* but I could not access anything in my LAN or Internet even though default gateway was set ok in routing tables.

    B. I have even flushed routing table just setting my original gateway with:
    Code:
    route -f add 0.0.0.0 mask 0.0.0.0 9.36.216.129
    but it did not work either. (no ping to my gateway, no access to anything to my LAN)

    I tried some more sensless options - neither of them worked: each time after esablishing connection to VPN: no access to my LAN.

    is there any hope for me? anyone could please help?

    Thanks,
    Nelis

    PS. I did not play too much with routing before, so maybe I make some basic, obvious mistake?

  11. #11

    Split tunneling

    Tell your IT depts that the need to add split-tunneling to their Cisco configs. It can be done on any modern Cisco platform.

    For an ASA, it is 1 access-list and 2 group policy entries. Something like:
    access-list vpn_splittunnel extended permit ip 192.168.1.0 255.255.255.0 any
    group-policy vpnclient attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_splittunnel

    You should be able to access remote and all other places then. Only the "interesting" traffic will go through the tunnel which in this case is anything to 192.168.1.0.

    A router is similar, but slightly different.

  12. #12
    Junior Member
    Join Date
    Apr 2011
    Posts
    2
    sirianthe3rd, thanks for answer - but that's the point - I want to achieve it on my own *without* telling my client's IT dept.
    I guess this whole topic is all about it: since we have admin rights on our machines - we should be able to modify routing table proper way. shouldn't we?

    thanks,
    nelis

  13. #13
    Junior Member
    Join Date
    Jun 2011
    Posts
    1

    no internet access

    hello,
    after connect to vpn network using Cisco VPN i don't have internet access.
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.2.254 192.168.2.99 10
    0.0.0.0 0.0.0.0 10.128.181.161 10.128.181.162 11
    10.128.181.160 255.255.255.224 On-link 10.128.181.162 266
    10.128.181.162 255.255.255.255 On-link 10.128.181.162 266
    10.128.181.191 255.255.255.255 On-link 10.128.181.162 266
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    192.168.2.0 255.255.255.0 On-link 192.168.2.99 266
    192.168.2.0 255.255.255.0 10.128.181.161 10.128.181.162 266
    192.168.2.99 255.255.255.255 On-link 192.168.2.99 266
    192.168.2.99 255.255.255.255 10.128.181.161 10.128.181.162 266
    192.168.2.254 255.255.255.255 On-link 192.168.2.99 100
    192.168.2.255 255.255.255.255 On-link 192.168.2.99 266
    193.43.77.106 255.255.255.255 192.168.2.254 192.168.2.99 100
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 192.168.2.99 266
    224.0.0.0 240.0.0.0 On-link 10.128.181.162 266
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 192.168.2.99 266
    255.255.255.255 255.255.255.255 On-link 10.128.181.162 266
    ===========================================================================
    Persistent Routes:
    Network Address Netmask Gateway Address Metric
    0.0.0.0 0.0.0.0 10.128.181.161 1
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    1 306 ::1/128 On-link
    1 306 ff00::/8 On-link
    ===========================================================================

    how can i resolve this?

    thx,

    Lechoo

  14. #14
    Junior Member
    Join Date
    Aug 2011
    Posts
    1
    I have Cisco ASA configured to receive tunnels ipsec and l2tp and authentication is done on an external server. that the server assigns the IP after the authentication, but the netmask is lost, and routes that were supposed to have installed are not installed leaving only a default route.
    Someone can help me?

  15. #15
    Junior Member
    Join Date
    Oct 2011
    Posts
    3
    We are trying access our LAN resources on our file server using the Cisco VPN client v5.0.6.0110 on the following subnet 192.168.255.x. The server is on 192.168.255.x as well, the client is receiving a IP address on the 192.168.254.x subnet.
    There is a route setup for 192.168.255.0 with SM 255.255.255.0
    Local LAN is "disabled.
    The client can ping the server and connect to it using RDP. However, the server cannot ping back to the workstation.
    Under "Bytes" were are NOT getting any RECEIVED bytes ONLY getting SENT Bytes

    If we change it so that the client will get an IP address on the same subnet 192.168.255.x it is unable to ping or RDP to the server on the same subnet.
    We are able to ping outside to "google.ca" for instance
    Under "Bytes" were are are getting RECEIVED bytes and getting SENT Bytes

    Any thoughts on why this is not working? Any help is greatly appreciated...thank-you in advance...

    Michael

  16. #16
    Junior Member
    Join Date
    Oct 2011
    Posts
    3

    Local access to network resources using the Cisco VPN client

    We are trying access our LAN resources on our file server using the Cisco VPN client v5.0.6.0110 on the following subnet 192.168.255.x. The server is on 192.168.255.x as well, the client is receiving a IP address on the 192.168.254.x subnet.
    There is a route setup for 192.168.255.0 with SM 255.255.255.0
    Local LAN is "disabled.
    The client can ping the server and connect to it using RDP. However, the server cannot ping back to the workstation.
    Under "Bytes" were are NOT getting any RECEIVED bytes ONLY getting SENT Bytes

    If we change it so that the client will get an IP address on the same subnet 192.168.255.x it is unable to ping or RDP to the server on the same subnet.
    We are able to ping outside to "google.ca" for instance
    Under "Bytes" were are are getting RECEIVED bytes and getting SENT Bytes

    Any thoughts on why this is not working? Any help is greatly appreciated...thank-you in advance...

    Michael

Similar Threads

  1. Cisco VPN client and Netgear WGR614 problem
    By vanc in forum Networking Forum
    Replies: 14
    Last Post: 01-28-11, 12:15 PM
  2. LAN, but no Internet
    By nikmalsch in forum Networking Forum
    Replies: 3
    Last Post: 05-16-07, 02:43 AM
  3. 1 LAN, 2 DSLs, 1 VPN
    By Billy Davis in forum Routers & Internet Sharing
    Replies: 4
    Last Post: 05-08-06, 10:03 AM
  4. WLAN/Wi-Fi tweaking
    By anttu in forum Wireless Networking
    Replies: 10
    Last Post: 05-01-06, 02:11 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •