Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
0
Replies

Local LAN Access and client firewall

s.auger
Level 1
Level 1

‎07-19-2013 11:09 AM

I implemented Local LAN access on an ASA running version 9.0(2). Then we added a client firewall under group policies to only allow them print capabilities. Here is the code for both of those features :

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

access-list AnyConnect_Client_Local_Print extended deny icmp any any

access-list AnyConnect_Client_Local_Print extended deny ip any any

group-policy Remote-access attributes

   split-tunnel-policy excludespecified

   split-tunnel-network-list value Local_LAN_Access

   webvpn

       anyconnect firewall-rule client-interface public value AnyConnect_client_Local_Print

       anyconnect profiles value anyconnect type user

My question is, is it possible to implement split tunneling using extended access lists ? Instead of doing the above in two different places and having to deal with the different behaviour of client firewalls or lack thereof  ( i.e. iPad).

I tried doing it with the following access-list and it did not work. The print job just show as pending until I disconnect from the anyconnect client:

access-list test extended permit tcp any4 host 0.0.0.0 eq 9100

Any help would be appreciated...

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents