22 June 2011

How to bypass Cisco VPN client LAN restriction

There are a lot of VPN client softwares. Windows has a built in client and there are a bunch of third party products. For example Cisco VPN client.

The Cisco VPN client has an annoying feature: the VPN provider can decide if local network access is allowed or not. From a VPN provider perspective this is of course a good feature since it increases security. But from my perspective it is bad.
So in other words it may not matter if the Allow Local LAN Access box is checked or not.

One good workaround: use another VPN client that is compatible with Cisco. I have tried and successfully used Shrew Soft VPN Client. It can import a Cisco VPN profile file (pcf-file). It can also be configured to override the VPN provider settings:
Just go to the Policy tab in ShrewSoft VPN client and add an exclude filter. I wanted to access my entire 10.10.XXX.XXX network so I added an exclude filter for 10.10.0.0 with netmask 255.255.0.0. Be careful so your local area network IP range don't collide with services you would like to use on the VPN.

I got the tip from this post: http://serverfault.com/questions/126458/unable-to-access-local-network-when-cisco-vpn-client-is-connected

12 comments:

  1. I've always wanted to know how to do this thank you very much.
    US VPN

    ReplyDelete
  2. This is great! Thank you!

    I am a remote worker. I have 5 monitors on my desk. I was looking to use a solution like Input Director or Synergy to make a seamless transition between monitors and machines. So far my employers VPN has made this impossible without multiple mice and keyboards.

    This seems to be a great solution. I can't wait to try it!!!

    ReplyDelete
  3. You can also bypass it by split tunneling. The thing to look at is whether the vpn client you are using will set the default route to it's vpn client address, or to only add network routes to it's networks and to leave the default route to your router/ISP alone.

    eCommerce Hosting for everyone.

    ReplyDelete
  4. i was very excited when i came across this, but unfortunately for me it didn't work. I tried to set the exclude filter having ip 10.1.1.0 for mask 255.255.255.0 but still wasn't able to access 10.1.1.2. Is there any other configuration that needs to be done.

    ReplyDelete
  5. Well, connection seems ok, but i can't access any resources on the network so somehow my employer either seems to recognize and block Shrewsoft client or the client doesn't work in all cases.

    ReplyDelete
  6. Thanks for the great info. Is there a way to only tunnel remote desktop through the VPN? I want to use my local network + my internet while being able to Remote Desktop over the VPN.

    ReplyDelete
  7. shrew vpn doesn't support two authentications.. I connect to cisco vpn with username password and then I have to enter a secret key to complete the vpn connection. shrew vpn client doesn't prompt for the key or has any input where I can preload it.

    ReplyDelete
  8. Thank you! I've been unable to listen to music over AirPlay or use my wireless printer thanks to Cisco, but now I'm VPNed and rocking out at the same time.

    ReplyDelete
  9. Thanks Lennart. Great Tip. Good finding!

    ReplyDelete
  10. Thanks it helped, One thing to highlight, I was using 2 networks at that time i.e. Local Area connection and wireless lan (For Internet), When I give LAN Ip for exclusion, It puts the IP through Wireless Interface (That is also used for VPN) but at least I can run 2 networks at the same time.

    ReplyDelete