PDA

View Full Version : Cisco VPN client connects, but restricts LAN access even when option is ENABLED...



heweaver@gmail.com
10-20-06, 09:58 AM
Our help desk (about 20 of us) connect to the corporate network from
our location via the CISCO SYSTEMS VPN CLIENT software version number
4.0.3(f).

We DO have ENABLE LAN ACCESS checked, because (being a help desk) we
need to access local printers, shared network resources, etc.

However, about 10 or 20 minutes after we connect via VPN client, it
will cut off our local LAN access. When this happens, if we click on
START we have to wait about 30 seconds for it to respond. If we click
on RUN, we have to wait another 30 seconds or so. Just about anything
we do is bugged by this horrible lagtime that makes us wait for 30
seconds at a time. When we start experiencing the lag, we can no longer
access each others computers, shared network drives, network printers,
NOTHING except the external internet and our intranet sites.

When we connect, and go to STATUS / STATISTICS, the box that displays
information about the current connection comes up, and under the
TRANSPORT section it says:

Transparant Tunneling: Active on TCP port 10001
Local LAN: DISABLED
Compression: NONE

Also, if we go to the ROUTE DETAILS, the entire lefthand side under
LOCAL LAN ROUTES is completely empty.


We have found, that if we open a windows explorer folder of one of our
network shares, and leave it opened (but minimized) then it isn't very
likely to drop our LAN access. However, if we close that window, its
usually within 30 minutes that our LAN access is dropped.

When we lose that access, we can disconnect our VPN client and
re-connect, but all of our web applications for the intranet and our
connection to our lotus notes mail server is terminated, so we have to
close them all out and re-open them... but this constantly logging on
or off is hardly an efficient use of our time.

Since we DO have the option enabled, but once connected the status
displays DISABLED, would this be some kind of a server group policy
being pushed down or something?

If so, what details would I need to provide our network administrators
to see what can be done to fix this. It's just terribly annoying and a
waste of our time. Any explanation or advice would be greatly
appreciated!

Thanks!

gzb4zp
02-15-07, 06:31 PM
We have a very similar problem though have version 4.8.01.03 of the Cisco Client, and are using IPSec over UDP. Do not have the same lag time issues, but not able to access the local LAN. We are also a support organization, and a 3rd party supplier hosts the VPN for our client. They have told us the VPN is setup to support split tunneling, however unable to access local LAN features. The Allow Local LAN Access is selected, but shows as Disabled in the VPN Statistics window. Possibly there is some IPSec setting that need to be enabled on the client, though on the surface it looks like this Local LAN option would work as described in the Cisco documentation. Was wondering if you were able to make any progress on your issue?

opticalfiber
04-23-07, 01:33 PM
PROBLEM:

Even if you have Allow Local LAN Access checked, your administrator can override the value and disable it on you.


WORKAROUND:

Assuming your local lan is 192.168.1.0/24 (has IP addresses between 192.168.1.1 and 192.168.1.254), and you have admin rights on your machine, you can modify the routing table!

You need to do this EVERY TIME YOU CONNECT, as the Cisco client will inject the routes upon each connection.

This simply deletes the "override" by removing the route map between your local LAN range and the VPN Interface.

1. Connect to your Cisco VPN server
2. Go to Status > Statistics > Tunnel Details and Verify that Local LAN Access is "Disabled" under the Transport heading. If it shows Enabled, then you have another issue preventing your access which can't be solved here)

3. OPEN A COMMAND PROMPT AND TYPE "route delete 192.168.1.0" (without quotes, where 192.168.1.0 is your local LAN)

4. Try to ping or connect to a local machine to verify success.

Enjoy!

yambu
08-12-07, 11:17 PM
I realize this topic is for Cisco VPN, but I am having an identical problem with Aventail client. I use Aventail Connect 5.34. My IT department has configured the client with retricted local network access, defined as follows:

Restricted: Refuse non-directed connections (no local access) Connections to remote resources are redirected to the remote network; all other connections are refused.

This prevents me from printing to the printer on my LAN etc. without disconnecting from the remote network first. I tried the suggestion above, and entered the following command in a command window:

>route delete 192.168.1.0

This gives me the following error msg:
The route specified was not found.

a ROUTE PRINT command yields the following:

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.8 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.8 192.168.1.8 30
192.168.1.0 255.255.255.0 192.168.1.8 192.168.1.8 25
192.168.1.8 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.8 192.168.1.8 25
224.0.0.0 240.0.0.0 192.168.1.8 192.168.1.8 25
255.255.255.255 255.255.255.255 192.168.1.8 2 1
255.255.255.255 255.255.255.255 192.168.1.8 192.168.1.8 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

Does the solution for the CISCO also apply to my VPN client? If so, any clues as to what I'm doing wrong?

Thanks!

zabzoo
06-10-08, 09:53 AM
PROBLEM:

Even if you have Allow Local LAN Access checked, your administrator can override the value and disable it on you.


WORKAROUND:

Assuming your local lan is 192.168.1.0/24 (has IP addresses between 192.168.1.1 and 192.168.1.254), and you have admin rights on your machine, you can modify the routing table!

You need to do this EVERY TIME YOU CONNECT, as the Cisco client will inject the routes upon each connection.

...

3. OPEN A COMMAND PROMPT AND TYPE "route delete 192.168.1.0" (without quotes, where 192.168.1.0 is your local LAN)

4. Try to ping or connect to a local machine to verify success.

Enjoy!

I have Cisco VPN Client 5.0.00.0340; i have tried your advice without success; only difference is my local network is 10.0.1.#

route delete 10.0.1.1

However, these two entries remain -
route print ... >
10.0.1.0 , , , 255.255.255.0 , , , 10.0.1.6 , , , 10.0.1.6 , , , 25
10.0.1.0 , , , 255.255.255.0 , , , 10.0.1.14 , , , 10.0.1.14 , , , 20

Can you assist me to troubleshoot?

mblake4u
06-22-09, 04:36 PM
I had the same problem - I had local LAN access enabled in my cisco router config "include-local-lan" and the "Allow Local LAN Access" check in the Cisco client config.

I wasn't able to access the Internet etc as a route was added to my local routing table (shown with 'route print'). A default route "0.0.0.0 0.0.0.0" was added pointing to the IP address assigned to my PC by the client, e.g. "0.0.0.0 0.0.0.0 192.168.0.10 192.168.0.10".

This was effectively trying to route all traffic via the VPN tunnel - local or not.

To resolve this I created an ACL on the router allowing only certain traffic over the tunnel, e.g.

"ip access-list extended VPNClientPKI_ACL
permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255"

(this permits traffic from the remote network 192.168.10.0 to the network assigned to VPN clients, 192.168.0.0).

Once I had done this, the default route "0.0.0.0 0.0.0.0" was not added to my routing table anymore, and a route to the remote network was, e.g. "192.168.10.0 255.255.255.0 192.168.0.10 192.168.0.10"

This was confirmed in the VPN client's Status / Statistics / Route Details / Secured Routes. The ACL I created was there, and the default route was gone, and I was able to access my local LAN and the Internet.

marafaka
03-17-10, 03:17 AM
Have fun!


@echo off

REM Adjust the Cisco VPN routes.

set command=%1
set vpn="C:\Program Files\Cisco Systems\VPN Client\vpnclient.exe"
set find="%windir%\system32\find.exe"
set dumas=192.168.123.45

if "%command%"=="start" goto start
if "%command%"=="stop" goto stop
if "%command%"=="info" goto info
if "%command%"=="dump" goto dump
if "%command%"=="" goto toggle

echo.
echo Usage: cvpn.bat command
echo.
echo Where command is one of:
echo.
echo start start the Cisco VPN with LJSE.
echo stop stop the VPN.
echo info print some networking info.
echo.
goto end

:toggle
REM Check the state of connection and toggle it.
%vpn% stat | findstr "Time connected:" > nul
if not errorlevel 1 (
echo Connection will be terminated...
goto stop
) else (
echo Connecting...
goto start
)
goto end

:start
%vpn% connect foo nocertpwd

route delete 0.0.0.0 mask 0.0.0.0 %dumas%
route delete 192.168.11.0 mask 255.255.255.0 %dumas%

route add 172.34.0.0 mask 255.255.0.0 %dumas%

goto end

:info
%vpn% stat
goto end

:info
%vpn% dump
ipconfig
echo.
echo.
echo.
route print
goto end

:stop
%vpn% disconnect
goto end

:end

SamanthaSmith
06-19-10, 04:31 AM
I used to have so much problems with our VPN in the office. I know that I am just starting my training with CISCO and I hope that one day I can do a lot of things with networking.

glebe
01-01-11, 06:13 AM
PROBLEM
A Windows 7 PC has been provided by a third party to give access to their VPN using Cisco AnyConnect VPN Client. The local DHCP allocator gives it an address of 10.0.0.15. It can see the local network and access local resources including a network printer at 10.0.0.150. However, when the VPN is fired up, the PC can no longer print to the local network printer and can no longer ping it.

The Cisco VPN client appears to amend the routing and arp tables to prevent access to the local subnet. This has been discussed on the internet where use of the route command has been recommended to work round these blocks. However, in this installation, the Cisco client also seems to prevent the route command from amending the routing. One ray of sunshine is that there is one local resource remaining visible, which is the DHCP allocator (in our case, the server at 10.0.0.3), which is useful as this is a significant resource which the user wishes to access. Access to other local resources could be provided by adjusting the Cisco setup but that is controlled by a third party unwilling to make the necessary changes.

SOLUTION
The router is a netgear DGFV338 which allows me to multihome it by giving it a second IP address of 192.168.1.1. Without making any changes to the routing tables, I can ping that from the 10.0.0.x network.

I have also adjusted the netgear to forward 192.168.1.150 traffic to 10.0.0.150 and can now ping 192.168.1.150.

Even with the Cisco VPN client fired up, the PC can now ping and use this printer (the one at 10.0.0.150) as if it were a printer at 192.168.1.150.

nelis
04-07-11, 02:53 AM
Gentlemen,

I see that's the only forum where this topic is thoroughly discussed.
I have very similiar issue, and despite changing routing table and reinstalling Cisco VPN client - i still have issues with connection to my LAN.
my default gateway is: 9.36.216.129 (it allowes internet and access to office printers, etc)
gateway that VPN overrides is: 192.168.52.82


1. just in case I have reinstalled Cisco VPN Client (ver 5.0.07.0290) with option not to install stateful firewall:

msiexec.exe /i vpnclient_setup.msi DONTINSTALLFIREWALL=1


2. after connection - I have tried to mess around with routing tables many different ways.
A. I have obviously changed default gateway:


route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 9.36.216.129

then I added routing for dedicated servers on the VPN side using:


route add 139.53.213.0 mask 255.255.255.0 192.168.52.82


as a result: I could access dedicated servers at 139.53.213.* but I could not access anything in my LAN or Internet even though default gateway was set ok in routing tables.

B. I have even flushed routing table just setting my original gateway with:


route -f add 0.0.0.0 mask 0.0.0.0 9.36.216.129


but it did not work either. (no ping to my gateway, no access to anything to my LAN)

I tried some more sensless options - neither of them worked: each time after esablishing connection to VPN: no access to my LAN.

is there any hope for me? anyone could please help?

Thanks,
Nelis

PS. I did not play too much with routing before, so maybe I make some basic, obvious mistake?

sirianthe3rd
04-11-11, 09:29 AM
Tell your IT depts that the need to add split-tunneling to their Cisco configs. It can be done on any modern Cisco platform.

For an ASA, it is 1 access-list and 2 group policy entries. Something like:
access-list vpn_splittunnel extended permit ip 192.168.1.0 255.255.255.0 any
group-policy vpnclient attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splittunnel

You should be able to access remote and all other places then. Only the "interesting" traffic will go through the tunnel which in this case is anything to 192.168.1.0.

A router is similar, but slightly different.

nelis
04-11-11, 11:48 AM
sirianthe3rd, thanks for answer - but that's the point - I want to achieve it on my own *without* telling my client's IT dept.
I guess this whole topic is all about it: since we have admin rights on our machines - we should be able to modify routing table proper way. shouldn't we?

thanks,
nelis

ldzierza
06-15-11, 09:11 AM
hello,
after connect to vpn network using Cisco VPN i don't have internet access.
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.254 192.168.2.99 10
0.0.0.0 0.0.0.0 10.128.181.161 10.128.181.162 11
10.128.181.160 255.255.255.224 On-link 10.128.181.162 266
10.128.181.162 255.255.255.255 On-link 10.128.181.162 266
10.128.181.191 255.255.255.255 On-link 10.128.181.162 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.99 266
192.168.2.0 255.255.255.0 10.128.181.161 10.128.181.162 266
192.168.2.99 255.255.255.255 On-link 192.168.2.99 266
192.168.2.99 255.255.255.255 10.128.181.161 10.128.181.162 266
192.168.2.254 255.255.255.255 On-link 192.168.2.99 100
192.168.2.255 255.255.255.255 On-link 192.168.2.99 266
193.43.77.106 255.255.255.255 192.168.2.254 192.168.2.99 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.99 266
224.0.0.0 240.0.0.0 On-link 10.128.181.162 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.99 266
255.255.255.255 255.255.255.255 On-link 10.128.181.162 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.128.181.161 1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
===========================================================================

how can i resolve this?

thx,

Lechoo

trinchas
08-30-11, 08:21 AM
I have Cisco ASA configured to receive tunnels ipsec and l2tp and authentication is done on an external server. that the server assigns the IP after the authentication, but the netmask is lost, and routes that were supposed to have installed are not installed leaving only a default route.
Someone can help me?

MichaelW
10-20-11, 12:58 PM
We are trying access our LAN resources on our file server using the Cisco VPN client v5.0.6.0110 on the following subnet 192.168.255.x. The server is on 192.168.255.x as well, the client is receiving a IP address on the 192.168.254.x subnet.
There is a route setup for 192.168.255.0 with SM 255.255.255.0
Local LAN is "disabled.
The client can ping the server and connect to it using RDP. However, the server cannot ping back to the workstation.
Under "Bytes" were are NOT getting any RECEIVED bytes ONLY getting SENT Bytes

If we change it so that the client will get an IP address on the same subnet 192.168.255.x it is unable to ping or RDP to the server on the same subnet.
We are able to ping outside to "google.ca" for instance
Under "Bytes" were are are getting RECEIVED bytes and getting SENT Bytes

Any thoughts on why this is not working? Any help is greatly appreciated...thank-you in advance...

Michael

MichaelW
10-20-11, 12:59 PM
We are trying access our LAN resources on our file server using the Cisco VPN client v5.0.6.0110 on the following subnet 192.168.255.x. The server is on 192.168.255.x as well, the client is receiving a IP address on the 192.168.254.x subnet.
There is a route setup for 192.168.255.0 with SM 255.255.255.0
Local LAN is "disabled.
The client can ping the server and connect to it using RDP. However, the server cannot ping back to the workstation.
Under "Bytes" were are NOT getting any RECEIVED bytes ONLY getting SENT Bytes

If we change it so that the client will get an IP address on the same subnet 192.168.255.x it is unable to ping or RDP to the server on the same subnet.
We are able to ping outside to "google.ca" for instance
Under "Bytes" were are are getting RECEIVED bytes and getting SENT Bytes

Any thoughts on why this is not working? Any help is greatly appreciated...thank-you in advance...

Michael