Allow Local (LAN) Access when using VPN (if configured) -- Not Working As Expected
Users have their AnyConnect .xml profile set to not allow local LAN access when the VPN is connected.
Split-tunneling is configured via AnyConnect and is working fine.
The split tunnel policy is set to tunnelspecified.
Test user is able to connect to machines on his local (home) network segment, which uses a network ID that is not specified by the tunnel config.
How is this possible? My understanding is that (a) split-tunneling should not work if this setting is disabled, as internet destinations (for example) cannot use the local LAN adapter, and (b) the user should not be able to access systems on their local LAN??
I verified that any client-side tools like web proxy clients etc. are disabled and this behavior persists.
Is there a gap in my understanding? Why is this happening?
Here is some information to better assist your understanding between split tunneling and local lan access:
Split tunneling & Local Lan Access are two separate things. From within AnyConnect: If you look at VPN 'Statistics' tab, under tunnel mode (v4) it will either say tunnel all traffic or show you what is configured for split tunneling. Also, if you go to 'Route Details' tab you should see a secured routes all 0s meaning everything is secured & tunneled over vpn or specific prefixes hinting that split tunneling is enabled.
To clarify more, Split tunneling allows use to specifically configure what traffic is sent over the vpn tunnel, and what traffic is unencrypted and sent over internet via local network GW.
Local LAN Access is a hybrid solution that tunnels all traffic over VPN (encrypted), but local network access is allowed & unencrypted. Note though that the local network access is restricted to that subnet only. Essentially once configured & allowed, "Allow local LAN access" automatically detects and permits the local LAN connectivity, while tunneling & securing everything else. HTH!
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 220.127.116.11Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 18.104.22.168R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...