Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3336
Views
0
Helpful
7
Replies

ASA Access-List with 0.0.0.0/32?

Go to solution
Matthew Martin
Level 5
Level 5

‎06-12-2018 10:14 AM - edited ‎03-12-2019 05:21 AM

Hello All,

 

ASA: v9.4(1)

AnyConnect: v4.5

 

According to the AnyConnect 4.5 Release Notes (*click for explanation). The section: "New Split Include Tunnel Behavior (CSCum90946)" says that, formerly, in order for the split-tunnel to tunnel a client's traffic to their local subnet (*while on AnyConnect VPN), and the split-include network was a Supernet of a Local Subnet, the local subnet traffic was not tunneled unless a split-include network that exactly matches the Local Subnet was configured.

 

The link above explains that you need to include a Deny statement at the top of the split tunnel ACL for 0.0.0.0/32. But, no matter how I try to write this, it fails with invalid IP Address.

 

ASA(config)# access-list AnyConnect_splitTunnelAcl deny 0.0.0.0 255.255.255.255
ERROR: invalid IP address
ASA(config)#
ASA(config)# access-list AnyConnect_splitTunnelAcl standard deny 0.0.0.0 255.255.255.255
ERROR: invalid IP address

 

Any ideas how you're expected to include a deny for 0.0.0.0/32 in the ASA's Split-Tunnel ACL for AnyConnect?

Our current Split-Tunnel ACL looks like:

access-list AC_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list AC_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

Thanks in Advance,

Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎06-29-2018 08:50 AM

Just wanted to add this because we finally figured it out.

 

The version of the ASA we were on, 9.4(1), didn't allow me to add that IP in the ACL. We upgraded the ASA to 9.4(4)20 and now we are able to use that command.

 

i.e.

access-list AnyConnect_TestAcl standard deny 0.0.0.0 255.255.225.255


-Matt

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎06-12-2018 01:20 PM

Hi Matt,

From my notes, this is what I had defined and this worked.

access-list LOCAL_LAN_ACCESS standard permit host 0.0.0.0
!
group-policy GP-1 attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value LOCAL_LAN_ACCESS

HTH
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎06-13-2018 11:38 AM

Hey RJI, thanks for the reply.

Ok cool, I think I just need to make that a Deny and I should matching what that link states from my OP... Thanks again!

-Matt
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎06-14-2018 11:01 AM

Well I tried adding the same command as you, with "Deny" instead of Permit. And I get the same error message.

ASA(config)# access-list AnyConnect_splitTunnelAcl standard deny host 0.0.0.0
ERROR: invalid IP address

Not sure why this isn't working...

-Matt
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Matthew Martin

‎06-14-2018 12:47 PM

Can you confirm what you are trying to achieve? Are you wanting to allow VPN users to access their local lan subnet and then tunnel everything else back over the VPN?
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎06-14-2018 01:01 PM

That's correct. But, this was suggested to make this change to the Split-Tunnel ACL because of a ISE Posture issue that we seem to be having via VPN. TAC suggested I add that "Deny" statement to the top of our Split-Tunnel ACL, which they sited the following quote below:

New Split Include Tunnel Behavior (CSCum90946)

Formerly, if a split-include network was a Supernet of a Local Subnet, the local subnet traffic was not tunneled unless a split-include network that exactly matches the Local Subnet was configured. With the resolution of CSCum90946, when a split-include network is a Supernet of a Local Subnet, the Local Subnet traffic is tunneled, unless a split-include (deny 0.0.0.0/32 or ::/128) is also configured in the access-list (ACE/ACL).

The new behavior requires the following configurations when a Supernet is configured in the split-include and the desired behavior is to allow LocalLan access:

    access-list (ACE/ACL) must include both a permit action for the Supernet and a deny action for 0.0.0.0/32 or ::/128.

    Enable Local LAN Access in the AnyConnect profile (in the Preferences Part 1 menu of the profile editor. (You also have the option to make it user controllable.)

 

 

Thanks Again,

Matt

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Matthew Martin

‎06-14-2018 01:07 PM

Ok, from my notes, the configuration I previously provided worked (allowed local lan access) without a deny entry. I used this webpage as a basis for my testing. This however was tested without posture, I am obviously not aware of your TAC issue so this information I provided might not fit your needs.

0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎06-29-2018 08:50 AM

Just wanted to add this because we finally figured it out.

 

The version of the ASA we were on, 9.4(1), didn't allow me to add that IP in the ACL. We upgraded the ASA to 9.4(4)20 and now we are able to use that command.

 

i.e.

access-list AnyConnect_TestAcl standard deny 0.0.0.0 255.255.225.255


-Matt

0 Helpful
Customers Also Viewed These Support Documents