cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6792
Views
0
Helpful
2
Replies

How does Anyconnect VPN Client change/affect local windows routing table?

Manuel.Picco
Level 1
Level 1

Hello,

I have this problem:

Before connecting with Cisco Anyconnect VPN, the "route print" command on Windows XP doesn't show any special static route entry.

After connecting with Anyconnect, I can see a static route pointing to my DHCP & Novell Server (internal network interface, nothing to do with VPN). That means, that after being connected, I cannot access this server anymore, as packets are routed directly on the internal network.

This way, I have like an unwanted "Split Tunnel" situation, even though in ASA Config, in the group policy, I say to "tunnel all networks".

When I try to manually remove the static windows route, the process "vpnagent" recreates it directly afterwards.

Does anyone know how the route table modification process of Cisco Anyconnect works?

Thanks,

Best Regards

2 Replies 2

rate
Level 1
Level 1

Hi Manuel,

We have this exact same issue! But to make matters worse, this server is also our DNS server, so when we see this problem we're pretty stuck

Funny thing is: it's not all pc's having this problem!

Have you heard anything since you created this post?

/Rasmus

mulatif
Cisco Employee
Cisco Employee

Hi Manuel,

If you use "Full Tunneling" the Local LAN access is blocked unless specifically configured\allowed in the AnyConnect profile.

See below

"Local LAN Access—Allows the user complete access to the local LAN connected to the remote computer during the VPN session to the ASA".

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html

The ASA config will look something like below

1.This ACL will configure the AnyConnect client to exclude the network the client is "On", without having to define the actual network.


5540-1(config)# show runn access-list Local_LAN_Access

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list Local_LAN_Access remark VPN-Local-LAN-Access

2) Apply the access-list to the group-policy

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

Thanks,

Naman

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: