cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9432
Views
25
Helpful
5
Replies

Cisco Anyconnect Split Tunnel Local LAN Access for Printing

Ricky S
Level 3
Level 3

Our Remote Access VPN configuration is setup to allow split-tunnelling to the Internet from the client machine. Cisco Anyconnect Secure Mobility Client encrypts all RFC1918 networks and tunnels them.  While all other traffic (email, casual browsing etc.) is sent unencrypted.  However due to this setup,  our clients are not able to print to their local printers.  I understand this is because of the above mentioned configuration which tunnels all RFC1918 networks (which also include local LAN networks) to the ASA.  Is there a workaround we can use while still utilizing split-tunnelling where all internet based traffic splits right from the client’s local LAN and all corporate traffic is tunnelled?

5 Replies 5

David Castro F.
Spotlight
Spotlight

Hello Ricky,

 

I hope you are doing great,

 

You could allow the "Allow local LAN access on the anyconnect or XML file"

 

 

<LocalLanAccess UserControllable="true">true</LocalLanAccess>.

 

This way you can still have access to your Local LAN, whether you have exclude specified or include specified.

 

keep me posted, on this.

 

Please qualify all of the helpful answers and mark as answered if this was the answer required,

 

Regards,

 

David Castro,

Hi David, we already have that option checked via the GUI and via .xml profile.

group-policy GroupPolicy_AnyconnectChicago attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 3
vpn-session-timeout 720
vpn-tunnel-protocol ssl-client
group-lock value AnyconnectChicago
split-tunnel-policy tunnelspecified
split-tunnel-network-list value anyconnect_ace
default-domain value acme.com
split-tunnel-all-dns enable
!
!
access-list anyconnect_ace line 1 standard permit 10.0.0.0 255.0.0.0 (hitcnt=0) 0xd39774f7
access-list anyconnect_ace line 2 standard permit 172.16.0.0 255.240.0.0 (hitcnt=0) 0x9b1240cf
access-list anyconnect_ace line 3 standard permit 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe546a0f4

Hello Ricky,

 

This scenario would likely work with exlude specified but it can create a big ACL excluding all of the public ranges and the printers IPs individually, you could try the following:

 

Unable to Print or Browse by Name

When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. There are two options available in order to work around this situation:

  • Browse or print by IP address.

    • In order to browse, instead of the syntax \\sharename, use the syntax \\x.x.x.x where x.x.x.x is the IP address of the host computer.

    • In order to print, change the properties for the network printer in order to use an IP address instead of a name. For example, instead of the syntax \\sharename\printername, use \\x.x.x.x\printername, where x.x.x.x is an IP address.
  • Create or modify the VPN Client LMHOSTS file. An LMHOSTS file on a Microsoft Windows PC allows you to create static mappings between hostnames and IP addresses. For example, an LMHOSTS file might look like this:

    192.168.0.3 SERVER1
    192.168.0.4 SERVER2
    192.168.0.5 SERVER3

 

Also explore the exclude specify option, which allows you to exclude what should not go through the tunnel and allow the rest of it being encrypted,

 

Keep me posted,

 

Please rate all helpful posts,

 

Thanks,

 

David Castro,

 

 

 

 

 

 

 

 

In addition to enabling "Allow local (LAN) access..." and presuming you are configured to "tunnel network list below", add 0.0.0.0/32 with a deny to your split tunnel network list ACL. I largely used this article, but modified it to allow specifying addresses that I specifically want to tunnel rather than excluding addresses I did not tunnel (i.e. almost the entire Internet).

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html

@wmarkeles A very late reply and I apologize but this resolved the issue.  We are now able to print locally while still tunneling only specific subnets. 

0.0.0.0/32 deny did the trick.

Thanks again