Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22529
Views
0
Helpful
1
Replies

Allow Local (LAN) Access when using VPN (if configured) -- Not Working As Expected

JimBob03268
Level 1
Level 1

‎04-01-2021 02:13 PM

  • Settings.PNGUsers have their AnyConnect .xml profile set to not allow local LAN access when the VPN is connected.
  • Split-tunneling is configured via AnyConnect and is working fine.
  • The split tunnel policy is set to tunnelspecified.
  • Test user is able to connect to machines on his local (home) network segment, which uses a network ID that is not specified by the tunnel config.

How is this possible? My understanding is that (a) split-tunneling should not work if this setting is disabled, as internet destinations (for example) cannot use the local LAN adapter, and (b) the user should not be able to access systems on their local LAN??

I verified that any client-side tools like web proxy clients etc. are disabled and this behavior persists.

Is there a gap in my understanding? Why is this happening?

Labels:
0 Helpful
1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-06-2021 05:51 AM

Here is some information to better assist your understanding between split tunneling and local lan access:

Split tunneling & Local Lan Access are two separate things. From within AnyConnect: If you look at VPN 'Statistics' tab, under tunnel mode (v4) it will either say tunnel all traffic or show you what is configured for split tunneling. Also, if you go to 'Route Details' tab you should see a secured routes all 0s meaning everything is secured & tunneled over vpn or specific prefixes hinting that split tunneling is enabled.

To clarify more, Split tunneling allows use to specifically configure what traffic is sent over the vpn tunnel, and what traffic is unencrypted and sent over internet via local network GW. 

Local LAN Access is a hybrid solution that tunnels all traffic over VPN (encrypted), but local network access is allowed & unencrypted. Note though that the local network access is restricted to that subnet only. Essentially once configured & allowed, "Allow local LAN access" automatically detects and permits the local LAN connectivity, while tunneling & securing everything else.  HTH!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents