03-10-2011 08:30 AM - edited 02-21-2020 05:13 PM
Hello,
I've been driving myself nuts trying to get Anyconnect working with split tunneling and Local LAN Access. We've had split tunneling working but I can't get local lan acess working at all.
On the Anyconnect client, "Enable Local LAN Access" is checked.
On the ASA, the group policy is set for "Tunnel Networks Below" and the Network List is set for an ACL that specifies our internal networks.
At first there was an overlap with the clients home network and our network list, a very broad subnet was used. I refined the list to only include what was needed and the traffic doesn't go down the tunnel now but it dies at the host. The PC used to get an error message from our core saying the destination wasn't reachable, now it comes from the interface on the PC.
I don't have a lot of experience with the ASA but I'm pretty sure it's configured correctly. I've been reading as much as I can for the last few days and haven't been able to get it.
Thanks!
03-10-2011 09:37 AM
Hi,
You can make a quick test.
When the AnyConnect is connected, check the secured routes under the client properties to see which are the secured routes.
For example, when there's no split-tunneling you'll see 0.0.0.0
When using split-tunneling you see the protected networks accesible through the tunnel.
Just to help us confirm which traffic is going to be sent through the tunnel in your case.
You can post here the output of the relevant configuration for the split-tunneling/local-access on the ASA.
Federico.
03-10-2011 11:37 AM
When I looked earlier, I saw the routes we listed in the access list in the secured routes section and nothing in the unsecured. I was mainly looking at the Un-secured so I didn't pay too much attention to the secured. The route table on the PC looked good.
Here's the config from the ASA:
group-policy AnyConnectGP attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
access-list split extended permit ip x.x.y.0 255.255.252.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.8.0 255.255.248.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.16.0 255.255.240.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.32.0 255.255.224.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.64.0 255.255.192.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.128.0 255.255.128.0 10.x.x.0 255.255.255.0
03-10-2011 11:41 AM
Ok.
The ACL split lists traffic between the protected networks (behind the ASA), and the VPN pool assigned to the clients.
Is the local subnet (where the VPN client resides) part of this list (access-list split)?
Also just to know... what is that you can't access locally when connected to the VPN?
For example... computers on the same subnet?
Federico.
03-10-2011 01:44 PM
The local subnet is not part of the access list, his subnet is 192.168.0.0/24.
Nothing on his local network is accessable, the main thing I'm trying to do is let him print to his wireless printer.
03-10-2011 01:47 PM
According to the split-tunneling policy, the client should be encrypting (sending through the tunnel), only traffic intended to the networks
specified in the ACL split above.
Can you check the ouput of route print from the client PC?
And also make sure the secured-routes under the VPN client shows only the subnets in the ACL split?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide