what has NAT to do with Local LAN access? I want the client to access the local printer and other local resources. The first test was without the line "access-list splitACL standard deny host 0.0.0.0".

The local network overlaps with the networks specified in the Split ACL. the client has "Local LAN access" checkbox checked.

Thanks,

mspoerr

Hi,

I believe you configured this feature well but perhaps missed something by accident. Will try to give

some suggestions below. If it does not help we'll go into details.

[o] The "tunnelspecified" policy tunnels all traffic from or to the specified networks.

     If one enables split tunneling with the above option, it lets one create a network list of addresses to tunnel.

     Data to all other addresses travels in the clear and is routed by the remote user’s default GW.

[o] The "excludespecified" keyword defines a list of networks to which traffic goes in the clear.

    This feature is useful for remote users who want to access devices on their local network, such as printers, while

     they are connected to the corporate network through a tunnel.

    This option applies to the Cisco IPSec VPN and HW clients, as well as AnyConnect SSL VPN client.

[o] Only standard type ACLs can be used with split tunneling, and reading your earlier posts I see you have done that

     already.

[o] Another important aspect is that we need to also configure the client itself. Namely, please double check that

     within the AnyConnect Client -> 'AnyConnect Preference' Menu, the 'Enable local LAN access' is ticked / enabled.

     This option is disabled by default.

[o] Also related to the client, once the session is up with the ASA headend one can open up the "AnyConnect Client:

     Statistics Detail" menu and in the "Route Details" it can be validated if indeed the split policy is in place, see the

    "Non-secured Routes" and "Secured Routes" menu items

Example :

The Local_LAN_Access defined below, will configure the AnyConnect client so that it will exclude

the network  the client is on, without having to define the actual network.

ASAFW(config)# show runn access-list Local_LAN_Access

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list Local_LAN_Access remark VPN-Local-LAN-Access

Then apply the access-list to the desired group-policy :

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

Last but not least, don't forgert the 'Enable local LAN access' option within AC.

Hope this helps, and if not please get back to me

Greetings,

mfg

Istvan

Hi Istvan,

thank you for your answer, but I would need a mix of Split Tunnel and Local LAN Access. When I remeber correctly, this was working with good old VPNC 3000 devices...

The Local Lan checkbox is checked at client side, but all private networks are tunneled. When using the other way around, with "split all, except...", then it works, but we only want to tunnel the private networks (except the Local LAN network)...

I opened a case yesterday and outcome is, that this is currently not supported, but an enhancement request will be opened.

Thanks,

Mathias

Hi,

I got it now, thank you for the details. Hope the enhancement will be there soon.

Thank you

Best regards

Istvan