Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Local LAN Access and client firewall

I implemented Local LAN access on an ASA running version 9.0(2). Then we added a client firewall under group policies to only allow them print capabilities. Here is the code for both of those features :

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

access-list AnyConnect_Client_Local_Print extended deny icmp any any

access-list AnyConnect_Client_Local_Print extended deny ip any any

group-policy Remote-access attributes

   split-tunnel-policy excludespecified

   split-tunnel-network-list value Local_LAN_Access

   webvpn

       anyconnect firewall-rule client-interface public value AnyConnect_client_Local_Print

       anyconnect profiles value anyconnect type user

My question is, is it possible to implement split tunneling using extended access lists ? Instead of doing the above in two different places and having to deal with the different behaviour of client firewalls or lack thereof  ( i.e. iPad).

I tried doing it with the following access-list and it did not work. The print job just show as pending until I disconnect from the anyconnect client:

access-list test extended permit tcp any4 host 0.0.0.0 eq 9100

Any help would be appreciated...

512
Views
0
Helpful
0
Replies