No local LAN while PIX VPN established.

Discussion in 'Cisco' started by just1coder, Oct 14, 2004.

  1. just1coder

    just1coder Guest

    Whilst my VPN is open via Cisco VPN Client 4.0.3, I can browse the
    remote LAN and move throughout the Internet without any trouble,not
    however I can not see my local LAN.
     
    just1coder, Oct 14, 2004
    #1
    1. Advertisements

  2. :Whilst my VPN is open via Cisco VPN Client 4.0.3, I can browse the
    :remote LAN and move throughout the Internet without any trouble,not
    :however I can not see my local LAN.

    That is by design. In order to be able to see your local lan,
    the security administrator of the remote site will have to enable
    "split tunneling" specifying what IP ranges you are allowed to access
    directly, -and- you would have to configure your client to request
    split tunnelling.

    Not allowing access to the local LAN may have been a deliberate
    decision, to block the possibility of untrusted systems
    (e.g., on home PCs or on laptops that are often connected to
    LANs not under the security admin's control) being used as
    part of active "man in the middle" attacks. To explain briefly:

    The fact that you want to access your local LAN strongly implies there are
    computers there (though just networked printers is a possibility).
    Suppose one of those computers is infected with a trojan -- the security
    administrator doesn't know how good your local security is, but
    the security administrator can assume that if you -did- have a real
    firewall that you'd be connecting via the firewall rather than via
    the VPN client. Now suppose that trojan'd computer is being used to
    access your computer without you being aware. If you were allowed
    access to your local LAN, then your local LAN is also allowed access
    to you, so an intruder could reach through the trojan'd system,
    control your system, and use your trusted VPN tunnel to access what
    are supposed to be secured resources. Hence, a properly paranoid
    security administrator would only allow VPN clients access to their
    local LAN if the security administrator had good reason to trust that
    that local LAN was well secured.
     
    Walter Roberson, Oct 14, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.