cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1368
Views
5
Helpful
7
Replies

Deny Lan Access Anyconnect

InTheJuniverse
Level 1
Level 1

Hello

 

We are on anyconnect 4.9 and ASA 5516.

 

When users are connected to VPN using anyconnect, we want to maintain split tunneling and deny access to their local Lan (or access to corporate laptop from local lan), is this possible?

7 Replies 7

@InTheJuniverse you should have a configuration similar to below

 

ciscoasa(config)#access-list Local_LAN_Access remark Client Local LAN Access
ciscoasa(config)#access-list Local_LAN_Access standard permit host 0.0.0.0

this is used for Local LAN access, if you do not wish to permit this access remove it.

 

Refer to this cisco guide on how to setup and do the opposite to unconfigure, the guide is CLI and ASDM so you should be able to work out the steps to remove that configuration.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html

 

Thank you.

 

So, if 'Allow local Lan' access is removed, all traffic is tunnelled?

@InTheJuniverse that configuration is in addition to your split tunnel configuration, so it depends on what the rest of your configuration. Provide the configuration if you wish it to be reviewed.

 
 
 

split.png

 

it's a simple split tunnel. In the ACL we added some corporate subnets.

 

group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 20.1.1.1
dhcp-network-scope 20.200.65.0
vpn-tunnel-protocol ssl-client
group-lock value SSLVPN
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_ACL
default-domain value xxxxxxxxxx
split-dns value xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
webvpn
anyconnect profiles value Anyconnect-SSLVPN type user

@InTheJuniverse what is the configuration of "Split_ACL"?

access-list Split_ACL standard permit 20.0.0.0 255.0.0.0
access-list Split_ACL standard permit 141.127.0.0 255.255.0.0
access-list Split_ACL standard permit 172.19.0.0 255.255.0.0

ASA(config-group-policy)#split-tunnel-policy excludespecified

ASA(config-group-policy)#split-tunnel-network-list value Local_LAN_Access

try this way instead of permit the Core LAN, deny the local LAN and make other go through tunnel.

 

 

Review Cisco Networking for a $25 gift card