cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
901
Views
5
Helpful
4
Replies

Change ACL used by split-tunnel-network-list during operations

robo0003c
Level 1
Level 1

Hi!

 

We have the following configuration for our anyconnect group-policy

 

 split-tunnel-policy excludespecified
 split-tunnel-network-list value NoTunneling

 

The ACL:

 

access-list NoTunneling remark exclude home networks
access-list NoTunneling standard permit 192.168.0.0 255.255.255.0 

 

If I want to add entries on the ACL above to exlude some more networks from the Anyconnect tunnel, can I do that during operations? Is this only updated when the users re-connect the VPN? We have some users wanting to access their local networks at home and by such we need to exklude them from the tunnel. But I do not want to disrupt the traffic for them - is it safe to add entries during operations?

1 Accepted Solution

Accepted Solutions

Hi,

No, when you use the syntax I provided the 0.0.0.0 has a netmask of /32, reference for Local LAN Access here. Local LAN access will provide access to the users home lan, regardless of what their local LAN network is.

 

You should be able to apply the configuration changes without interuption. Although as with any change in production you'd probably want to apply them during a change window and of course take a backup of the configuration.


HTH

View solution in original post

4 Replies 4

Hi,

If you make any changes to the split tunnel the users would need to re-connect to the VPN to get the changes applied to their session.


If you want Local LAN access when connected to the VPN, you would need the following:-

access-list LOCAL_LAN_ACCESS standard permit host 0.0.0.0

group-policy GP-1 attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value LOCAL_LAN_ACCESS

In addition, you can configure the VPN Client Profile if local LAN access is allowed with <LocalLanAccess UserControllable="true">true</LocalLanAccess>.


HTH

Thanks for the answer!

 

1.) Wouldn't the below config make all traffic to be excluded from the tunnel? Render the tunnel empty?

access-list LOCAL_LAN_ACCESS standard permit host 0.0.0.0

group-policy GP-1 attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value LOCAL_LAN_ACCESS

I just want the subnets 192.168.0.0/24 and 192.168.1.0/24 to be excluded from the tunnel, so users at home can have those two subnets at their home network for printers and such. All other traffic must go trough the tunnel to corporate.

 

2.) Can I make these changes without my users noticing any disruption? I am happy as long as they get the change after a re-connect -- but I don't want the sessions to get dropped when I make the change.

Hi,

No, when you use the syntax I provided the 0.0.0.0 has a netmask of /32, reference for Local LAN Access here. Local LAN access will provide access to the users home lan, regardless of what their local LAN network is.

 

You should be able to apply the configuration changes without interuption. Although as with any change in production you'd probably want to apply them during a change window and of course take a backup of the configuration.


HTH

Thank you for detailed answer! Your solutions looks better, I will use that instead!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: