11-25-2015 10:13 AM - edited 02-21-2020 08:34 PM
Hello All,
I upgraded ASA version from 9.1(2) to 9.3(2). My AnyConnect was set up according to http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html for Local Lan Access. Prior to upgrade I could see under Route Details the Unsecured Routes of my Local Lan. After the upgrade I can no longer see this, only that 0.0.0.0/0 is a secured route, and I cannot access Local Lan. The original 'permit 0.0.0.0' was removed and I cannot add it back, the ASA is now telling me that I have to use 'any4' to represent this.
I have added it back in but to no avail.
group-policy GroupPolicy_xxxx attributes
banner value ---- WARNING ----
banner value This is a private network. Unauthorized use is prohibited.
banner value Use of this network constitutes consent to monitoring.
wins-server none
dns-server value 10.151.1.6 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value xxxx_LocalLan_acl
default-domain value xxxx.com
address-pools value AnyConnectPool
I have tried the following for xxxx_LocalLan_acl:
access-list xxxx_LocalLan_acl extended permit ip object AnyConnectObject any4
access-list xxxx_LocalLan_acl standard permit any4
access-list xxxx_LocalLan_acl extended permit any4 any4
access-list xxxx_LocalLan_acl extended deny ip object AnyConnectObject any4
access-list xxxx_LocalLan_acl standard deny any4
access-list xxxx_LocalLan_acl extended deny any4 any4
The Client profiles have 'Allow Local Lan Access' enabled and clients cannot turn this off
01-21-2016 01:00 AM
Hi Solomon
Did you find a solution to this?
I ran into this problem after i upgraded an ASA to 9.3. To allow Local Lan Access, you're right about the 'split-tunnel-policy excludespecified' and 'split-tunnel-network-list value xxxx_LocalLan_acl'.
But what you need to add into the ACL is:
access-list xxxx_LocalLan_acl standard permit host 0.0.0.0
or
access-list xxxx_LocalLan_acl standard permit 0.0.0.0 255.255.255.255
But my problem is that the ASA 9.3 won't accept the 'host 0.0.0.0', as far as i found out, it's because of a bug in the ASA software.
CSCut31315
https://tools.cisco.com/bugsearch/bug/CSCuw57991
Did you find a solution? I haven't yet, except up/downgrade
Regards Bo
03-17-2016 01:25 PM
Negative. I opened a TAC case and requested a Bug report, but nothing came of it. I rolled back to 9.1.6 for now.
07-08-2016 04:59 AM
Sorry for digging out old threads. You can use local lan access with an extended access list with a host object with the IP 0.0.0.0 as source.
Unfortunately I didn't find out how to do this with IPv6
object network obj-0.0.0.0
host 0.0.0.0
access-list LOCAL-LAN-ACCESS extended permit ip object obj-0.0.0.0 any4
07-15-2016 07:32 AM
I think, I have found out a working configuration (running 9.4.6.2):
access-list acl-remVPN-splitv4v6 remark remote VPN with local LAN access: split network list
access-list acl-remVPN-splitv4v6 extended permit ip host 0.0.0.0 any4
access-list acl-remVPN-splitv4v6 extended permit ip host :: any6
group-policy VPNusers_with_dual_stack_and_local_LAN_access attributes
split-tunnel-policy excludespecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value acl-remVPN-splitv4v6
07-15-2016 07:50 AM
Hi swasserroth
Yes, with this configuration it works for IPv6 too.
01-21-2016 01:32 AM
You should be using a "standard" acl, not an extended one. And it should only have the destination networks listed, and change it to being an inclusion policy.
For example:
split-tunnel-policy tunnelspecified
access-list xxxx_LocalLan_acl standard permit 10.0.0.0 255.0.0.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: