Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

cisco vpn client v3.0.3; win2000 question

0 views
Skip to first unread message

greg knopf

unread,
Feb 5, 2003, 4:39:22 PM2/5/03
to
Hello,

On a Windows2000 box with one ethernet connection, is there
any way to run the Cisco VPN client, version 3.0.3, using
IPSEC through NAT mode, and still use other resources available through
the local LAN?

On my LAN we have a router performing NAT connecting to our ISP.
When I run the VPN client I am restricted to using the resource
that that is configured for (connecting to a remote network and telneting
into it). I lose connectivity to our local Microsoft servers, local
TCP/IP resources and internet connectivity.

I thought that I would be able to load another TCP/IP driver/stack
and be able to access my non-VPN resources through that but I cannot.
Would anyone know of a way to do this?

Thanks for any help,

-gtk
gtk...@yahoo.com

Phillip Remaker

unread,
Feb 5, 2003, 8:38:10 PM2/5/03
to

"greg knopf" <gtk...@yahoo.com> wrote in message
news:2645a5e8.0302...@posting.google.com...

> On a Windows2000 box with one ethernet connection, is there
> any way to run the Cisco VPN client, version 3.0.3, using
> IPSEC through NAT mode, and still use other resources available through
> the local LAN?

Yes. The concentrator administrator has to enable "split tunneling"

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item091
86a0080094cf4.shtml#Q25


joe

unread,
Feb 6, 2003, 12:28:41 AM2/6/03
to
see inline


gtk...@yahoo.com (greg knopf) wrote in message news:<2645a5e8.0302...@posting.google.com>...


> Hello,
>
> On a Windows2000 box with one ethernet connection, is there
> any way to run the Cisco VPN client, version 3.0.3, using
> IPSEC through NAT mode, and still use other resources available through
> the local LAN?
>

ipsec thru nat mode just dictates how you transport IPSEC/ESP (IP
protocol
50) over the public internet. In IPSEC/NAT mode its inside UDP or TCP
packets.

This should not effect the local lan, as this property relates to
communication to the VPN 3030's ip, not to local hosts on the same
subnet/lan/local network.

> On my LAN we have a router performing NAT connecting to our ISP.
> When I run the VPN client I am restricted to using the resource
> that that is configured for (connecting to a remote network and telneting
> into it). I lose connectivity to our local Microsoft servers, local

> TCP/IP resources and internet connectivity. \

make sure you have "allow local lan access" checked. I believe the
administrator has the final say whether or not clients can do local
lan,
both by enabling/or/ not enable "split tunneling" in the concentrator
GROUP/CLIENT CONFIG. Without split tunneling your stuck sending
everything
thru the tunnel. You are only allowed to speak to your DEFAULT
gateway, i.e
the ISP ROUTER. Nothing you can do with the client will override this.

Your concentrator admin should be split tunneling, unless his security
policy overrides it. Also he can stop you from hitting your local lan
with a cisco
client fw policy, although I can't remember if the 3.0.3 client
supports FW policies or not...


>
> I thought that I would be able to load another TCP/IP driver/stack
> and be able to access my non-VPN resources through that but I cannot.
> Would anyone know of a way to do this?

I think you can have two nic cards and still get on the VPN with one
nic,
and hit the local lan with the other nic.. Deterministic network
adapter (the flux capacitor of the whole cisco 3000 client vpn
process) can be removed
from the second "lan" nic. Try it. Just don't use any USB NIC's with
the
3000 client. bad history.

email me if you need help or post back here.

0 new messages