Re: Cisco Anyconnect with Excluded split tunneling plus local LAN ACL

RobinT73196 · ‎11-30-2020

Hello Cisco Community,

I'm facing a problem in my Anyconnect setup:

Context: VPN connectivity based on Cisco Anyconnect client 4.9.01095 + Cisco ASAv 9.12(4)7

Problem:

my setup requires split tunneling to exclude cloud services from the VPN tunnel and access to the local LAN on specific port (for local printing plus access to specific resources - need an ACL to protect what is granted)

I can't make it:

- the client profile has the option "Local Lan Access" enabled

- I've added the 0.0.0.0/32 (in addition to other cloud services) in my split-tunneling extended ACL

----------------------

access-list Split-tunneling-excluded-networks remark Exclude Zscaler nodes from VPN
access-list Split-tunneling-excluded-networks remark Source IPs are taken into account (Destination IPs are ignored
access-list Split-tunneling-excluded-networks extended permit ip object-group Grp_Zscaler_nodes any
access-list Split-tunneling-excluded-networks extended permit ip object-group Grp_Webex_networks any
access-list Split-tunneling-excluded-networks remark Exclude Zscaler nodes from VPN
access-list Split-tunneling-excluded-networks extended permit ip object-group Grp_Teams_networks any
access-list Split-tunneling-excluded-networks remark Local access
access-list Split-tunneling-excluded-networks extended permit ip host 0.0.0.0 any

------------------------

- I've configured this ACL to be used as Excluded in the group policy:

group-policy GrpPolicy-XXXXXX attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value Split-tunneling-excluded-networks

split-tunnel-all-dns disable

=> at this point, my split tunneling is working fine, including access to the entire local LAN (route details in the client is showing all my cloud service networks + my local LAN in the Non-secured route section)

Now I'm trying to add on top of this setup a specific ACL to restrict the access on local LAN to specific IPs/Ports:

- I've created a specific extended ACL to filter some IPs:

------------------

access-list Network_ACL_Allow_SWLT_Printers extended permit ip any4 object home-server-test

access-list Network_ACL_Allow_SWLT_Printers extended deny ip any4 object home-network-test

access-list Network_ACL_Allow_SWLT_Printers extended permit ip any4 object-group DM_INLINE_NETWORK_4

-------------------

- I'm using this ACL in the client firewall section of the group policy on the public Network rule:

group-policy GrpPolicy-XXXXXX attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value Split-tunneling-excluded-networks

split-tunnel-all-dns disable

webvpn

anyconnect firewall-rule client-interface public value Network_ACL_Allow_SWLT_Printers

=> Doing this, my split-tunneling configuration disappears!

=> If I choose the Built-in local printing ACL proposed by ASDM, it has no effect: split tunneling is working fine but the local LAN access is not filtered by this ACL (meaning full access ok).

Is there anything I miss ? is what I try to achieve possible ?

Thank you for your help,

Robin

Karsten Iwen · ‎11-30-2020

The config you use to apply the firewall rules are meant to control the local host-firewall on the PC.

To control which traffic is allowed through the tunnel, you have to apply the ACL as a vpn-filter:

group-policy GrpPolicy-XXXXXX attributes
 vpn-filter value Network_ACL_Allow_SWLT_Printers

RobinT73196 · ‎11-30-2020

Hello Karsten,

thank you for your reply. I'm not trying to filter the traffic going inside the VPN (this traffic will be controled at another security layer), but the traffic reaching the local LAN. That's why I'm trying to us the local-host firewall.

Robin

MHM Cisco World · ‎11-30-2020

access-list ALL_EXCEPT permit host 0.0.0.0
access-list ALL_EXCEPT permit 192.168.1.0 0.0.0.0< this will excluded

!

group-policy attributes
split-tunnel-policy exclude specified
split-tuunel-netowrk-list value ALL_EXCEPT

try the above config

RobinT73196 · ‎12-01-2020

Hello,

thank you for your reply. Maybe I'm wrong but I don't see the point of doing this:

- the first line "access-list ALL_EXCEPT permit host 0.0.0.0" purpose is to allow access in local (out of the VPN) to the local networks, in a dynamic way which is perfect for me

- the second line "access-list ALL_EXCEPT permit 192.168.1.0 0.0.0.0" is doing the same, but not in a dynamic way. Hence, it won't cover all my use cases.

Also, this part is working. What is not is the combination of this split-tunneling setup with the ACL on the local client firewall.

Regards,

Robin

RobinT73196 · ‎12-04-2020

Hello,

any idea regarding to solve the "combination of this split-tunneling setup with the ACL on the local client firewall" ?

Thanks,

Robin

MHM Cisco World · ‎12-05-2020

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html

solution I hope.
but this local LAN not through the VPN tunnel just want to make you notice this.

RobinT73196 · ‎12-07-2020

Hello,

thank you for your reply. Unfortunately, it doesn't cover all my need: this link is to configure access to the local LAN and provide FULL access to the LAN. In my context, I need to be able to filter it (so probably with local client ACL) and to have split-tunnelling for cloud services. This entire setup, I cannot achieve to make it ...

Robin