Solved: Allow Local LAN Access for Cisco VPN Client / SVC Configuration

mac87 · ‎02-11-2013

Hi all,

I have a question on this VPN exmple :

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

Could you please explaine me little more in depth how a client using this route 0.0.0.0/255.255.255.255 can route packets on it's Local network ?

Thanks a lot!

Julio Carvajal · ‎02-12-2013

Hello Chris,

0.0.0.0 0.0.0.0 matchs any route

0.0.0.0 255.255.255.255 would only match a host with the ip address of 0.0.0.0 and netmask of 32.

So they are different and the one we see will not cover the LAN

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎02-11-2013

Hello Chris,

In this scenario what you are seeing is known as a tunnel-all ( means all traffic will be encrypted and sent over the VPN tunnel) If you look for something different then you must configure a split tunnel policy ( this will let the router only encrypt traffic from the clients when it goes to x.x.x.x { you define this via an acl}. Then local traffic or even internet traffic can be send using the local network ( default-gateway,etc,etc)

Example of this setup On a router :

In this scenario on our VPN router we have a LAN network of 192.168.10.0/24 that we want our VPN users to access, that is all we want them to access, we want them to be able to go to the internet, to access their local printers,servers,etc,etc locally ( not going over the VPN tunnel) For that I need the following setup

webvpn context julio

acl Split

permit ip any 192.168.10.0 0.0.0.255

exit

policy group Julio_CCIE

acl Split

Example of the setup on an ASA

access-list Split permit 192.168.10.0 255.255.255.0

group-policy VPN internal

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split

With this setup the same will happen..

On the Link you provided they show a way to make it happen as well and it basically says encrypted everything but the LAN network trafifc using the ACL... I have use it in the past and it definetly works so you should not face any issues

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mac87 · ‎02-12-2013

Thanks a lot for your reply and the example you offered me, however, I would like to know, how and whether the

0.0.0.0 255.255.255.255 route helps the same correct !

Could you please explain me little bit more how this route entry match only the local LAN network and not the remote network also ?

Thanks a lot!

Julio Carvajal · ‎02-12-2013

Hello,

Yes, I know it's confusing because of the ACL structure,

But just focus on that the ACL says the following:

This ACL will configure the AnyConnect client to exclude the network the client is on, without having to define the actual network.

So that route will say exclude from the VPN traffic the LAN traffic.

That's all

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mac87 · ‎02-12-2013

Thanks for your help, all these were clear enough for me since I opened this post. The only thing which is not so obvious to me is the explanation how the route 0.0.0.0 255.255.255.255, routes only packets for the local LAN and not for the remote also, because for e.g. the IP 10.10.10.2 can match totally with the above route !

What do you think ?

Julio Carvajal · ‎02-12-2013

Hello Chris,

No..... 0.0.0.0 with a netmask of 255.255.255.255 will only match 0.0.0.0/32 host Ip address..

Again this is just to let you know the LAN traffic will not get encrypted, so as soon as you see that route you need to understand that the LAN traffic will not go over the vpn tunnel, no need to worry about matching any other traffic as its a 0.0.0.0/32 address that matches ( and it's used just to make reference to this feature)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mac87 · ‎02-12-2013

Let me know if I am wrong on this,

0.0.0.0/32 means that there is a match with all host IPs, because if you execute the XOR function between

the 0.0.0.0/32 and 10.10.10.1, there is a specific match! Also there is a specific match with 192.168.10.1.

I can only imagine that there is a metric change, which mean if two routes match exactly, the VPN one, will be finally prefared!

What do you think ?

Julio Carvajal · ‎02-12-2013

Hello Chris,

0.0.0.0 0.0.0.0 matchs any route

0.0.0.0 255.255.255.255 would only match a host with the ip address of 0.0.0.0 and netmask of 32.

So they are different and the one we see will not cover the LAN

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mac87 · ‎02-12-2013

Thanks a lot for your replies, its clear now!!

Julio Carvajal · ‎02-12-2013

Hello Chris,

My pleasure Sr,

Have a good one

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Allow Local LAN Access for Cisco VPN Client / SVC Configuration Example