cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
101754
Views
29
Helpful
6
Replies

Connecting to local LAN after connecting to AnyConnect Secure Mobility Client

schrader_john
Level 1
Level 1

I connect to my corporate network using Cisco AnyConnect Secure Mobility Client.  Once connected I can no longer print to my LAN attached printer and other local resources.  I use the Cisco/Lyncsys E4200 router on my LAN and can re-connect to the storage on the local LAN by setting up Port Forwarding of port 21 and MS Windows FTP folder sharing.  However, I can't seem to connect to a Terminal Services client by forwarding port 3389.  Is there a way to connect to the local LAN after logging into the VPN connection.  I can connect to regular HTTP/HTTPS sites and most other type of connectiins, just not my own local resources. 

Thanks in advance...JS

1 Accepted Solution

Accepted Solutions

Glad to help, for what it's worth. Please mark question as answered if indeed it is and rate if the answer is helpful.

View solution in original post

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Your corporate administrator has likely setup the AnyConnect connection to NOT allow split tunneling - i.e., allowing corporate connections to go via the VPN while at the same time allowing local (or Internet) connections to go out via the local connection.

You can confirm this on your client (when connected) by clicking the "Advanced" link in the AnyConnect client system tray icon and looking at the "Route Details" tab. Seeing 0.0.0.0 as a secured route would indicate that split tunneling is not allowed in your VPN policy.

Yes, there-in is the problem. Since I have to disconnect from the VPN Software in order to access an already firewalled local LAN, it appears to me like an even greater risk than allowing direct access. I understand you are required to say what you did in this public thread.

Thanks for your response…JS

Glad to help, for what it's worth. Please mark question as answered if indeed it is and rate if the answer is helpful.

Hi Marvin,

I have a full tunnel profile configured for some departments. VPN is used from a wide range of locations so "local LAN" will have different IP networks up to each's location.

How can I allow local lan access to these guys?

On the IPSEC client (on Cisco routers at least), that was possible with just one command if you remember.

Thanks in advance,

Florin.

When you have split tunneling enabled, the ASA or head end router policy uses an access-list to determine which networks at the main network should be tunneled. They end up in the IPsec Security Associations (SAs) and are installed as routes on the client bound to the VPN tunnel virtual interface.

Anything not explicitly on that list will continue to use the client's local default gateway for reachability to those networks.

When you're on a VPN, you can see them in the AnyConnect client's Advanced window as follows (open in new tab to zoom):

[[{"type":"media","fid":"1253711","view_mode":"default","link_text":null,"attributes":{"alt":"AnyConnect client VPN routes","title":"AnyConnect client VPN routes","height":"542","width":"837","class":"image-style-none media-element file-default"}}]]

Thank you Marvin!