Re: Local LAN access with split tunnel

Arun2022 · ‎05-07-2023

Hi Team,

We have an AnyConnect remote access solution on an ASA headend with Split tunneling enabled.

We've got tunnelspecified enabled with RFC 1918 permitted over AnyConnect. How do I go about enabling local LAN access ?

Configuration snippet:
Group-policy:

split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel-value

access-list split-tunnel-value standard permit 10.0.0.0 255.0.0.0
access-list split-tunnel-value standard permit 172.16.0.0 255.240.0.0
access-list split-tunnel-value standard permit 192.168.0.0 255.255.0.0

Flavio Miranda · ‎05-07-2023

Hello

You mean, a user connected in the VPN be able to use the local network?

You need to deny the local network on the tunnel.

Arun2022 · ‎05-07-2023

We've got thousands of AnyConnect users in the environment. It's not possible to deny each and every local network. Any one of them would want to access their local LAN. I still need RFC 1918 sent over tunnel and still be able to access Local LAN. Any thoughts?

Flavio Miranda · ‎05-07-2023

"It's not possible to deny each and every local network. Any one of them would want to access their local LAN. "

Thats the whole idea of spilt tunnel. If you can not do that you actually dont need split tunnel, just send a default router to the user through the vpn and done.

If you use split tunnel this means you want/can split the traffic.

MHM Cisco World · ‎05-07-2023

Friend you use split tunnel' so any traffic not match split not pass throught tunnel' this include local.

What excatly you face ?