cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7724
Views
0
Helpful
5
Replies

Anyconnect Split Tunneling with Local LAN Access

ecornwell
Level 2
Level 2

Hello,

I've been driving myself nuts trying to get Anyconnect working with split tunneling and Local LAN Access.  We've had split tunneling working but I can't get local lan acess working at all.

On the Anyconnect client, "Enable Local LAN Access" is checked.

On the ASA, the group policy is set for "Tunnel Networks Below" and the Network List is set for an ACL that specifies our internal networks.

At first there was an overlap with the clients home network and our network list, a very broad subnet was used.  I refined the list to only include what was needed and the traffic doesn't go down the tunnel now but it dies at the host.  The PC used to get an error message from our core saying the destination wasn't reachable, now it comes from the interface on the PC.

I don't have a lot of experience with the ASA but I'm pretty sure it's configured correctly.  I've been reading as much as I can for the last few days and haven't been able to get it.

Thanks!

5 Replies 5

Hi,

You can make a quick test.

When the AnyConnect is connected, check the secured routes under the client properties to see which are the secured routes.

For example, when there's no split-tunneling you'll see 0.0.0.0

When using split-tunneling you see the protected networks accesible through the tunnel.

Just to help us confirm which traffic is going to be sent through the tunnel in your case.

You can post here the output of the relevant configuration for the split-tunneling/local-access on the ASA.

Federico.

When I looked earlier, I saw the routes we listed in the access list in the secured routes section and nothing in the unsecured.  I was mainly looking at the Un-secured so I didn't pay too much attention to the secured.  The route table on the PC looked good.

Here's the config from the ASA:

group-policy AnyConnectGP attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

access-list split extended permit ip x.x.y.0 255.255.252.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.8.0 255.255.248.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.16.0 255.255.240.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.32.0 255.255.224.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.64.0 255.255.192.0 10.x.x.0 255.255.255.0
access-list split extended permit ip x.x.128.0 255.255.128.0 10.x.x.0 255.255.255.0

Ok.

The ACL split lists traffic between the protected networks (behind the ASA), and the VPN pool assigned to the clients.

Is the local subnet (where the VPN client resides) part of this list (access-list split)?

Also just to know... what is that you can't access locally when connected to the VPN?

For example... computers on the same subnet?

Federico.

The local subnet is not part of the access list, his subnet is 192.168.0.0/24.

Nothing on his local network is accessable, the main thing I'm trying to do is let him print to his wireless printer.

According to the split-tunneling policy, the client should be encrypting (sending through the tunnel), only traffic intended to the networks
specified in the ACL split above.

Can you check the ouput of route print from the client PC?

And also make sure the secured-routes under the VPN client shows only the subnets in the ACL split?

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: