cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2020
Views
0
Helpful
7
Replies
Matthew Martin
Contributor

ASA Access-List with 0.0.0.0/32?

Hello All,

 

ASA: v9.4(1)

AnyConnect: v4.5

 

According to the AnyConnect 4.5 Release Notes (*click for explanation). The section: "New Split Include Tunnel Behavior (CSCum90946)" says that, formerly, in order for the split-tunnel to tunnel a client's traffic to their local subnet (*while on AnyConnect VPN), and the split-include network was a Supernet of a Local Subnet, the local subnet traffic was not tunneled unless a split-include network that exactly matches the Local Subnet was configured.

 

The link above explains that you need to include a Deny statement at the top of the split tunnel ACL for 0.0.0.0/32. But, no matter how I try to write this, it fails with invalid IP Address.

 

ASA(config)# access-list AnyConnect_splitTunnelAcl deny 0.0.0.0 255.255.255.255
ERROR: invalid IP address
ASA(config)#
ASA(config)# access-list AnyConnect_splitTunnelAcl standard deny 0.0.0.0 255.255.255.255
ERROR: invalid IP address

 

Any ideas how you're expected to include a deny for 0.0.0.0/32 in the ASA's Split-Tunnel ACL for AnyConnect?

Our current Split-Tunnel ACL looks like:

access-list AC_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list AC_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

Thanks in Advance,

Matt

1 ACCEPTED SOLUTION

Accepted Solutions

Just wanted to add this because we finally figured it out.

 

The version of the ASA we were on, 9.4(1), didn't allow me to add that IP in the ACL. We upgraded the ASA to 9.4(4)20 and now we are able to use that command.

 

i.e.

access-list AnyConnect_TestAcl standard deny 0.0.0.0 255.255.225.255


-Matt

View solution in original post

7 REPLIES 7
Rob Ingram
VIP Mentor

Hi Matt,

From my notes, this is what I had defined and this worked.

access-list LOCAL_LAN_ACCESS standard permit host 0.0.0.0
!
group-policy GP-1 attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value LOCAL_LAN_ACCESS

HTH

Hey RJI, thanks for the reply.

Ok cool, I think I just need to make that a Deny and I should matching what that link states from my OP... Thanks again!

-Matt

Well I tried adding the same command as you, with "Deny" instead of Permit. And I get the same error message.

ASA(config)# access-list AnyConnect_splitTunnelAcl standard deny host 0.0.0.0
ERROR: invalid IP address

Not sure why this isn't working...

-Matt

Can you confirm what you are trying to achieve? Are you wanting to allow VPN users to access their local lan subnet and then tunnel everything else back over the VPN?

That's correct. But, this was suggested to make this change to the Split-Tunnel ACL because of a ISE Posture issue that we seem to be having via VPN. TAC suggested I add that "Deny" statement to the top of our Split-Tunnel ACL, which they sited the following quote below:

New Split Include Tunnel Behavior (CSCum90946)

Formerly, if a split-include network was a Supernet of a Local Subnet, the local subnet traffic was not tunneled unless a split-include network that exactly matches the Local Subnet was configured. With the resolution of CSCum90946, when a split-include network is a Supernet of a Local Subnet, the Local Subnet traffic is tunneled, unless a split-include (deny 0.0.0.0/32 or ::/128) is also configured in the access-list (ACE/ACL).

The new behavior requires the following configurations when a Supernet is configured in the split-include and the desired behavior is to allow LocalLan access:

    access-list (ACE/ACL) must include both a permit action for the Supernet and a deny action for 0.0.0.0/32 or ::/128.

    Enable Local LAN Access in the AnyConnect profile (in the Preferences Part 1 menu of the profile editor. (You also have the option to make it user controllable.)

 

 

Thanks Again,

Matt

Ok, from my notes, the configuration I previously provided worked (allowed local lan access) without a deny entry. I used this webpage as a basis for my testing. This however was tested without posture, I am obviously not aware of your TAC issue so this information I provided might not fit your needs.

Just wanted to add this because we finally figured it out.

 

The version of the ASA we were on, 9.4(1), didn't allow me to add that IP in the ACL. We upgraded the ASA to 9.4(4)20 and now we are able to use that command.

 

i.e.

access-list AnyConnect_TestAcl standard deny 0.0.0.0 255.255.225.255


-Matt

View solution in original post