cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2197
Views
5
Helpful
6
Replies

ASA 9.3(2) AnyConnect Local Lan Access

Solomon Sands
Beginner
Beginner

Hello All,

I upgraded ASA version from 9.1(2) to 9.3(2).  My AnyConnect was set up according to http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html for Local Lan Access.  Prior to upgrade I could see under Route Details the Unsecured Routes of my Local Lan.  After the upgrade I can no longer see this, only that 0.0.0.0/0 is a secured route, and I cannot access Local Lan.  The original 'permit 0.0.0.0' was removed and I cannot add it back, the ASA is now telling me that I have to use 'any4' to represent this.

I have added it back in but to no avail.

group-policy GroupPolicy_xxxx attributes
 banner value ---- WARNING ----
 banner value This is a private network. Unauthorized use is prohibited.
 banner value Use of this network constitutes consent to monitoring.
 wins-server none
 dns-server value 10.151.1.6 8.8.8.8
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy excludespecified
 ipv6-split-tunnel-policy excludespecified
 split-tunnel-network-list value xxxx_LocalLan_acl
 default-domain value xxxx.com
 address-pools value AnyConnectPool

I have tried the following for xxxx_LocalLan_acl:

access-list xxxx_LocalLan_acl extended permit ip object AnyConnectObject any4

access-list xxxx_LocalLan_acl standard permit any4

access-list xxxx_LocalLan_acl extended permit any4 any4

access-list xxxx_LocalLan_acl extended deny ip object AnyConnectObject any4

access-list xxxx_LocalLan_acl standard deny any4

access-list xxxx_LocalLan_acl extended deny any4 any4

The Client profiles have 'Allow Local Lan Access' enabled and clients cannot turn this off

6 Replies 6

girafskind
Beginner
Beginner

Hi Solomon

Did you find a solution to this?

I ran into this problem after i upgraded an ASA to 9.3. To allow Local Lan Access, you're right about the 'split-tunnel-policy excludespecified' and 'split-tunnel-network-list value xxxx_LocalLan_acl'.

But what you need to add into the ACL is:

access-list xxxx_LocalLan_acl standard permit host 0.0.0.0

or

access-list xxxx_LocalLan_acl standard permit 0.0.0.0 255.255.255.255

But my problem is that the ASA 9.3 won't accept the 'host 0.0.0.0', as far as i found out, it's because of a bug in the ASA software.

CSCut31315

https://tools.cisco.com/bugsearch/bug/CSCuw57991

Did you find a solution? I haven't yet, except up/downgrade

Regards Bo

Negative.  I opened a TAC case and requested a Bug report, but nothing came of it.  I rolled back to 9.1.6 for now. 

Sorry for digging out old threads. You can use local lan access with an extended access list with a host object with the IP 0.0.0.0 as source.

Unfortunately I didn't find out how to do this with IPv6

object network obj-0.0.0.0
 host 0.0.0.0
access-list LOCAL-LAN-ACCESS extended permit ip object obj-0.0.0.0 any4

I think, I have found out a working configuration (running 9.4.6.2):

access-list acl-remVPN-splitv4v6 remark remote VPN with local LAN access: split network list
access-list acl-remVPN-splitv4v6 extended permit ip host 0.0.0.0 any4
access-list acl-remVPN-splitv4v6 extended permit ip host :: any6

group-policy VPNusers_with_dual_stack_and_local_LAN_access attributes
split-tunnel-policy excludespecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value acl-remVPN-splitv4v6

Hi swasserroth

Yes, with this configuration it works for IPv6 too.

Philip D'Ath
Advisor
Advisor

You should be using a "standard" acl, not an extended one.  And it should only have the destination networks listed, and change it to being an inclusion policy.

For example:

split-tunnel-policy tunnelspecified
access-list xxxx_LocalLan_acl standard permit 10.0.0.0 255.0.0.0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers