Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
0
Helpful
6
Replies

Give vendor access to their local network when on our AnyConnect

Go to solution
Travis-Fleming
Level 1
Level 1

‎07-15-2021 07:45 AM

Hello,

We added a vender group-policy and whenever the vendor joins our VPN they are not able to access their own local resources on their local network. Below is the policy I have setup. I was under the understanding with the "split-tunnel-policy tunnelspecified" command it would only send the networks specified in the split-tunnel-network-list down the VPN, they could then have access to their own local network. Can someone provide some clarity on this? From what I have setup, I believe it should only send traffic for 172.16.1.166 down the VPN, and any other traffic from their PC would be offloaded locally?

 

I also had them open their AnyConnect client, go to preferences, and check the box to allow access to LAN.

 

group-policy GroupPolicy-vendor-Access internal
group-policy GroupPolicy-vendor-Access attributes
wins-server none
dns-server value 172.16.1.160 172.16.1.161
vpn-filter value vpn-vendor-permit
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-vendor-split-tunnel
default-domain value XYZ.com

!

access-list vpn-vendor-permit extended permit tcp 10.20.0.0 255.255.252.0 host 172.16.1.166 eq 3389

access-list vpn-vendor-split-tunnel standard permit host 172.16.1.166

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Travis-Fleming

‎07-16-2021 07:14 AM

What I had was working. The Vendor mis-spoke when they talked to me about what they could and could not access. This was working as is. Darn miscommunication from the vendor. 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎07-15-2021 07:52 AM

Hi @Travis-Fleming 

Your ACL need to permit to host 0.0.0.0, such as this:-

 

access-list ALL_EXCEPT permit host 0.0.0.0

Example here

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Rob Ingram

‎07-15-2021 07:55 AM

I read that on a few Cisco support sites, but it didn't make sense to me. Wouldn't that send all traffic down the tunnel if I'm using the "tunnelspecified" command? Maybe you could explain to me like I'm a kindergartener.

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Rob Ingram

‎07-15-2021 07:59 AM

And would it just be:

 

access-list vpn-vendor-split-tunnel standard permit host 172.16.1.166
access-list vpn-vendor-split-tunnel standard permit host 0.0.0.0

 

Or would I just have:

 

access-list vpn-vendor-split-tunnel standard permit host 0.0.0.0

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Travis-Fleming

‎07-15-2021 08:25 AM

@Travis-Fleming sorry, you are doing tunnelspecified not excludespecified. So if you only specify the 1 destination any other traffic should not be encrypted and sent via anyconnect. On AnyConnect what is the output of the secured and non-secured routes?

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Rob Ingram

‎07-15-2021 08:38 AM

Here is what I see from my end when I connect with that group-policy. Waiting on my vender to supply the same screencap. All the individual IP's in the secured routes section I do have spelled out in my access list.

 

Screenshot 2021-07-15 103624.jpg

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Travis-Fleming

‎07-16-2021 07:14 AM

What I had was working. The Vendor mis-spoke when they talked to me about what they could and could not access. This was working as is. Darn miscommunication from the vendor. 

0 Helpful
Customers Also Viewed These Support Documents