Using Cisco VPN and still have access to local network? Help please!

Discussion in 'Mac Apps and Mac App Store' started by rogersmj, Sep 6, 2007.

  1. rogersmj macrumors 68020

    rogersmj

    Joined:
    Sep 10, 2006
    Location:
    Indianapolis, IN
    #1
    This may be a rather advanced topic for these forums but I'm not sure where else to turn. When I'm working from home, I VPN into my office using the craptacular Cisco VPN software (fronted by Shimo on the Mac, so at least the interface is nicer). However, I lose access to my home network. I can no longer access my file server at home when I'm VPN'ed into the office.

    On Windows XP, there was an obscure option buried in the network connection properties that would basically tell the machine to also remain on the local network while connected to the VPN. I cannot find a way to do this with Cisco/OS X. I tried creating a second virtual Ethernet connection and manually assigning it a local IP address, thinking that perhaps the Cisco client would only monopolize the first Ethernet connection, but it still does not work. Does a anyone have any ideas?
     
  2. mrfrosty macrumors 6502

    Joined:
    Oct 1, 2005
    #2
    Your describing split tunnelling. This is set as a policy on the concentrator (assuming they are using a cisco concentrator / router) i.e. whether to allow it or not. I am pretty sure there is no way around it regardless of whether you tick the box on the vpn client you are using.
     
  3. daveschroeder macrumors 6502

    Joined:
    Sep 14, 2003
    Location:
    Madison, WI
    #3
    The connection profile you use must support something called "split tunneling", which only takes traffic destined for the network protected by the VPN over the VPN, and all other traffic goes over your non-VPN connection, including local traffic. We do split tunneling here with the Cisco VPN client on Mac OS X, and it works exactly as you're hoping, but it requires an additional connection profile and configuration on the VPN concentrator. When using this profile, all access to the local network as well as the VPN network and the internet at large is maintained.
     
  4. rogersmj thread starter macrumors 68020

    rogersmj

    Joined:
    Sep 10, 2006
    Location:
    Indianapolis, IN
    #4
    Wow, thanks for the fast responses guys. Now I know what to ask the IT department for :)
     
  5. rogersmj thread starter macrumors 68020

    rogersmj

    Joined:
    Sep 10, 2006
    Location:
    Indianapolis, IN
    #5
    Those jerks...they said no. It apparently violates corporate security policy. Is split tunneling really a security liability? Or is this just them being too lazy to set something up (which happens a lot around here)?
     
  6. Mumford macrumors regular

    Joined:
    Oct 8, 2006
    Location:
    Altadena, CA
    #6
    If split-tunneling is enabled, your computer could potentially expose the company to dangerous traffic from your local net/the internet. This traffic would normally (presumably) be filtered at the company's firewalls.
     
  7. SMM macrumors 65816

    SMM

    Joined:
    Sep 22, 2006
    Location:
    Tiger Mountain - WA State
    #7
    You could add another network card and run two different TCP/IP stacks. I do this with my video at home. I have 3 PM's (2 PM's and a MP actually). I use them for video compression and do not want them contending with my other network traffic. I have never used an iMac, but it will accept another card, right?
     
  8. Queso macrumors G4

    Joined:
    Mar 4, 2006
    #8
    Yes, split tunnelling can potentially be a big problem if you or anyone else has multiple computers at home. Put it this way; If something nasty got into the corporate network down your VPN because they allowed you access to your home LAN, would you be the one working until 4am repairing, restoring and possibly rebuilding the servers whilst being called and shouted at by all the other home users who are now unable to work remotely?

    It wouldn't work. The policy closes off other interfaces on the machine too.
     

Share This Page