Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3903
Views
5
Helpful
1
Replies

Split tunneling problem with Anyconnect

cco1
Level 1
Level 1

‎11-12-2009 02:45 AM - edited ‎02-21-2020 04:22 PM

Hello,

we've got a problem with split tunneling and Anyconnect clients. Basically, our policy for remote access users is as follows: local LAN traffic should be allowed directly (eg. local printing), everything else should go through the tunnel. This works pretty fine with the Cisco IPsec VPN Client.

In contrary to that, it doesn't work while using Anyconnect clients. I can't use the exclude-parameter, so my only chance would be to define an ACE, that tunnels traffic for specific networks.

Our problem now is, that we can't tell the ASA to tunnel traffic only for network A oder B. The ASA should tunnel the entire traffic EXCEPT local LAN access. Is is possible to tell the ASA this policy for Anyconnect connections like we did it on the IPsec Group policy?

Our IPsec Group Policy settings:

...

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

...

access-list Local_LAN_Access standard permit host 0.0.0.0

The documentation says, that we cannot use this "excludespecified" parameter for SSL connections, only for IPsec connection.

Any suggestions are appreciated!

Regards,

Marco

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Todd Pula
Level 7
Level 7

‎11-12-2009 02:33 PM

The above configuration should work for AnyConnect. The only caveat with AnyConnect is that starting with 2.3 and later, local LAN access is disabled by default. You can enable it manually by clicking on the "preferences" button next to the "connect to" box or via XML profile. Once enabled and connected, you should see two route panels on the route details tab, one for non-secured and one for secured routes. Please verify that you have tested the above. If you are still having issues, I can try mocking it up in my lab.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents