topic Re: Anyconnect Local Lan Access + split tunnel exclude in Network Security

Anyconnect Local Lan Access + split tunnel exclude

buffkata — Fri, 22 Oct 2021 00:16:52 GMT

Hi,

Recently we added zScaler IPs to our existing Local LAN Access ACL. The idea was that since this ACL is a split tunnel exclude it will exclude the zScaler IPs as well. This way RAVPN users will have their HTTP/s traffic protected by the cloud proxy and this will lower the load on the FTD edge firewall we use to provide Anyconnect VPN to users.

Unfortunately the zScaler traffic was excluded from the tunnel but users lost Local LAN Access - even though the ACL still has the following line and this should be allowed - but all Local traffic is directed to the VPN tunnel. (We tried moving the host 0.0.0.0 on top and bottom of the ACL but nothing changed.)

It would be nice if anyone has an idea if this is not permitted - this way I will stop searching the internet 🙂

Re: Anyconnect Local Lan Access + split tunnel exclude

balaji.bandi — Fri, 22 Oct 2021 05:15:49 GMT

i would expect on the ASA side the split tunnel ACL to be separate match, (not standard ACL)

and attach the ACL to any connect config.

example :

refer below document for example :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html

Re: Anyconnect Local Lan Access + split tunnel exclude

Mike.Cifelli — Fri, 22 Oct 2021 12:10:26 GMT

-I have used a standard acl for local lan access several times before so IMO that is not the issue. Have you tested just the all zeros to ensure the local lan access works as expected first? What does AC depict when doing so?

Re: Anyconnect Local Lan Access + split tunnel exclude

buffkata — Fri, 22 Oct 2021 15:31:27 GMT

Thank you both for the reply. Unfortunately it was a mistake on my part - I forgot to check if users have the Allow local(LAN) access when using VPN .......they did not and I also did not have it on ( new PC). After checking the box the users were able to connect to the VPN, splt tunnel for zScaler traffic worked as expected and also access their local LAN.

Re: Anyconnect Local Lan Access + split tunnel exclude

balaji.bandi — Fri, 22 Oct 2021 16:21:19 GMT

Good stuff.

Re: Anyconnect Local Lan Access + split tunnel exclude

buffkata — Thu, 24 Mar 2022 19:23:48 GMT

I see the same behavior on another FTD - 2130 in ASA mode.

Local Access is not working - but zScaler works. If I remove zScaler and leave only local access - Local Access is still not working.

Again this was caused by my mistake - it looks like I had to reboot the test PC - after I made the change on the FTD. It looks like reconnecting to the VPN was not enough. Editing the original post -as I cannot delete the question, and maybe someone will find it useful.