Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8950
Views
25
Helpful
5
Replies

Cisco Anyconnect Split Tunnel Local LAN Access for Printing

Ricky S
Level 3
Level 3

‎11-12-2018 10:48 AM - edited ‎02-21-2020 09:30 PM

Our Remote Access VPN configuration is setup to allow split-tunnelling to the Internet from the client machine. Cisco Anyconnect Secure Mobility Client encrypts all RFC1918 networks and tunnels them.  While all other traffic (email, casual browsing etc.) is sent unencrypted.  However due to this setup,  our clients are not able to print to their local printers.  I understand this is because of the above mentioned configuration which tunnels all RFC1918 networks (which also include local LAN networks) to the ASA.  Is there a workaround we can use while still utilizing split-tunnelling where all internet based traffic splits right from the client’s local LAN and all corporate traffic is tunnelled?

2 people had this problem
Labels:
0 Helpful
5 Replies 5

David Castro F.
Spotlight
Spotlight

‎11-12-2018 12:46 PM

Hello Ricky,

 

I hope you are doing great,

 

You could allow the "Allow local LAN access on the anyconnect or XML file"

 

 

<LocalLanAccess UserControllable="true">true</LocalLanAccess>.

 

This way you can still have access to your Local LAN, whether you have exclude specified or include specified.

 

keep me posted, on this.

 

Please qualify all of the helpful answers and mark as answered if this was the answer required,

 

Regards,

 

David Castro,

0 Helpful

Ricky S
Level 3
Level 3
In response to David Castro F.

‎11-12-2018 01:05 PM

Hi David, we already have that option checked via the GUI and via .xml profile.

group-policy GroupPolicy_AnyconnectChicago attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 3
vpn-session-timeout 720
vpn-tunnel-protocol ssl-client
group-lock value AnyconnectChicago
split-tunnel-policy tunnelspecified
split-tunnel-network-list value anyconnect_ace
default-domain value acme.com
split-tunnel-all-dns enable
!
!
access-list anyconnect_ace line 1 standard permit 10.0.0.0 255.0.0.0 (hitcnt=0) 0xd39774f7
access-list anyconnect_ace line 2 standard permit 172.16.0.0 255.240.0.0 (hitcnt=0) 0x9b1240cf
access-list anyconnect_ace line 3 standard permit 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe546a0f4
0 Helpful

David Castro F.
Spotlight
Spotlight
In response to Ricky S

‎11-12-2018 01:27 PM

Hello Ricky,

 

This scenario would likely work with exlude specified but it can create a big ACL excluding all of the public ranges and the printers IPs individually, you could try the following:

 

Unable to Print or Browse by Name

When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. There are two options available in order to work around this situation:

  • Browse or print by IP address.

    • In order to browse, instead of the syntax \\sharename, use the syntax \\x.x.x.x where x.x.x.x is the IP address of the host computer.

    • In order to print, change the properties for the network printer in order to use an IP address instead of a name. For example, instead of the syntax \\sharename\printername, use \\x.x.x.x\printername, where x.x.x.x is an IP address.
  • Create or modify the VPN Client LMHOSTS file. An LMHOSTS file on a Microsoft Windows PC allows you to create static mappings between hostnames and IP addresses. For example, an LMHOSTS file might look like this:

    192.168.0.3 SERVER1
192.168.0.4 SERVER2
192.168.0.5 SERVER3

 

Also explore the exclude specify option, which allows you to exclude what should not go through the tunnel and allow the rest of it being encrypted,

 

Keep me posted,

 

Please rate all helpful posts,

 

Thanks,

 

David Castro,

 

 

 

 

 

 

 

 

wmarkeles
Level 1
Level 1
In response to Ricky S

‎04-30-2019 03:08 PM

In addition to enabling "Allow local (LAN) access..." and presuming you are configured to "tunnel network list below", add 0.0.0.0/32 with a deny to your split tunnel network list ACL. I largely used this article, but modified it to allow specifying addresses that I specifically want to tunnel rather than excluding addresses I did not tunnel (i.e. almost the entire Internet).

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html

Ricky Sandhu
Level 1
Level 1
In response to wmarkeles

‎04-13-2022 08:52 AM

@wmarkeles A very late reply and I apologize but this resolved the issue.  We are now able to print locally while still tunneling only specific subnets. 

0.0.0.0/32 deny did the trick.

Thanks again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents