Solved: Re: Anyconnect Local Lan Access + split tunnel exclude

buffkata · ‎10-21-2021

Hi,

Recently we added zScaler IPs to our existing Local LAN Access ACL. The idea was that since this ACL is a split tunnel exclude it will exclude the zScaler IPs as well. This way RAVPN users will have their HTTP/s traffic protected by the cloud proxy and this will lower the load on the FTD edge firewall we use to provide Anyconnect VPN to users.

Unfortunately the zScaler traffic was excluded from the tunnel but users lost Local LAN Access - even though the ACL still has the following line and this should be allowed - but all Local traffic is directed to the VPN tunnel. (We tried moving the host 0.0.0.0 on top and bottom of the ACL but nothing changed.)

It would be nice if anyone has an idea if this is not permitted - this way I will stop searching the internet

buffkata · ‎10-22-2021

Thank you both for the reply. Unfortunately it was a mistake on my part - I forgot to check if users have the Allow local(LAN) access when using VPN .......they did not and I also did not have it on ( new PC). After checking the box the users were able to connect to the VPN, splt tunnel for zScaler traffic worked as expected and also access their local LAN.

View solution in original post

balaji.bandi · ‎10-21-2021

i would expect on the ASA side the split tunnel ACL to be separate match, (not standard ACL)

and attach the ACL to any connect config.

example :

refer below document for example :

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike.Cifelli · ‎10-22-2021

Unfortunately the zScaler traffic was excluded from the tunnel but users lost Local LAN Access - even though the ACL still has the following line and this should be allowed - but all Local traffic is directed to the VPN tunnel. (We tried moving the host 0.0.0.0 on top and bottom of the ACL but nothing changed.)

-I have used a standard acl for local lan access several times before so IMO that is not the issue. Have you tested just the all zeros to ensure the local lan access works as expected first? What does AC depict when doing so?

buffkata · ‎03-24-2022

I see the same behavior on another FTD - 2130 in ASA mode.

Local Access is not working - but zScaler works. If I remove zScaler and leave only local access - Local Access is still not working.

Again this was caused by my mistake - it looks like I had to reboot the test PC - after I made the change on the FTD. It looks like reconnecting to the VPN was not enough. Editing the original post -as I cannot delete the question, and maybe someone will find it useful.

buffkata · ‎10-22-2021

Thank you both for the reply. Unfortunately it was a mistake on my part - I forgot to check if users have the Allow local(LAN) access when using VPN .......they did not and I also did not have it on ( new PC). After checking the box the users were able to connect to the VPN, splt tunnel for zScaler traffic worked as expected and also access their local LAN.

balaji.bandi · ‎10-22-2021

Good stuff.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help