I implemented Local LAN access on an ASA running version 9.0(2). Then we added a client firewall under group policies to only allow them print capabilities. Here is the code for both of those features :
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list AnyConnect_Client_Local_Print extended deny icmp any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
group-policy Remote-access attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
webvpn
anyconnect firewall-rule client-interface public value AnyConnect_client_Local_Print
anyconnect profiles value anyconnect type user
My question is, is it possible to implement split tunneling using extended access lists ? Instead of doing the above in two different places and having to deal with the different behaviour of client firewalls or lack thereof ( i.e. iPad).
I tried doing it with the following access-list and it did not work. The print job just show as pending until I disconnect from the anyconnect client:
access-list test extended permit tcp any4 host 0.0.0.0 eq 9100
Any help would be appreciated...