Accessing LAN through Ethernet2 While VPN'ed using Ethernet1

There was a checkbox for "allow local LAN access". By default it was not enabled, which would prevent you from accessing anything outside the tunnel, including the second ethernet. (I don't have the Cisco software on my current Mac, so I can't tell you exactly where the setting is, if it's still there in the version you're using. 😟 )

BTW, that setting can be overridden by the VPN administrator, which is how my company's Cisco VPN endpoint is configured. (IOW, our VPN is configured to ignore the "allow local LAN access" setting.) So don't be surprised if it doesn't work.

...So do I not even need to have a second interface for this to work? I'm thinking I don't.

If it's not restricted by the VPN administrator, then your thinking is correct that you wouldn't need a second ethernet adapter (unless your "LAN" is on a different network segment than what the VPN is using, which is not the case for most people.)

But like I said, if the VPN admin has imposed the restriction, then you might not be able to access your network even if you have multiple ethernet adapters.

Is this restriction about local LAN routing something that can be overcome with the Cisco VPN client or the internal OSX client or another 3rd party VPN client for the Mac? I can't get my IT department to do anything about this.

AlanRicker wrote:
Is this restriction about local LAN routing something that can be overcome with the Cisco VPN client or the internal OSX client or another 3rd party VPN client for the Mac? I can't get my IT department to do anything about this.

No, this is NOT a restriction controlled by the Mac. The restriction is done on the config of the VPN endpoint at your office by the VPN administrator(s). If the admin doesn't allow it, there's nothing you can do.

Aastoran,

Thanks for the quick reply. That is my understanding too, that our IT group has setup our Cisco VPN concentrator to tell the VPN client to setup it's IP routing to send all traffic through the VPN connection.

That is what seems to be what is being done if I dump my routing when I connect to the VPN (netstat -rn):
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default utun0 UCS 2 0 utun0
default 10.0.1.1 UGScI 1 0 en1
10.0.1/24 link#7 UCS 4 0 en1
10.0.1.1 0:1f:f3:43:f3:97 UHLWI 3 438 en1 721
10.0.1.2 0:21:e9:e3:56:2f UHLWI 1 3636 en1 561
10.0.1.4 127.0.0.1 UHS 0 0 lo0
10.0.1.5 0:17:ab:e0:84:67 UHLWI 0 0 en1 725
10.0.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 2 en1
12.71.251.131 10.0.1.1 UGHS 2 1 en1
17.151.16.23 utun0 UHW3I 0 0 utun0 3587
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 0 109 lo0
150.158.41.6 utun0 UHWI 25 36 utun0
150.158.48.4 150.158.48.4 UH 0 11 utun0
169.254 link#7 UCS 0 0 en1
172.16.156/24 link#9 UC 0 0 vmnet8
172.16.184/24 link#8 UC 0 0 vmnet1

It seems to have inserted a new default route ahead of the one I have from my AirPort one (10.0.1.1).
The VPN network is 150.158. . on the utun0 connection.

My question is if there a way to change the routing to what it was before so that only traffic intended for the 150.158. . network goes through the utun0 network?
I have read some stuff on the internet that talks about this, tried some things, but haven't it got to work.

Since this kind of IP routing table stuff is controlled on the Mac itself, I don't see how the Cisco VPN router would be able to prevent me from doing this or am I missing something?

Do you or anyone have experience with setting up this IP routing stuff when you have multiple connections?

Alan

Since this kind of IP routing table stuff is controlled on the Mac itself, I don't see how the Cisco VPN router would be able to prevent me from doing this or am I missing something?

Do you or anyone have experience with setting up this IP routing stuff when you have multiple connections?

I'm not good enough at this level of networking to fully understand all the technicals, but consider that Cisco would have thought of this already and so would be able to prevent such basic routing table hacking as part of their VPN protocol design. (Or at least make it much more difficult.) Cisco is the leader in networking so it should not be surprising that this is not a trivial matter. In that regard, I am partially relieved that it is not so simple to hack the Cisco VPN. 😉

I haven't tried this recently on my Mac, but on my PCs with the Cisco client for Windows, I have not been successful. The best I can do is use workarounds. For example, if I just need to access files, I copy to a USB drive. The biggest hassle is with network printers, which there is no workaround except to attach by USB. (Not really an option if the printer is not in the same room.)