Thanks Irisrios,

I'm presuming that your discription is for the standard Cisco VPN client, where as I'm trying to enable the feature whilst using the SSL VPN client, am I missing something?

Thanks,

Stuart

Unfortunately there is no checkbox to allow local LAN access via the SSL VPN client. The only way I found to enable this is to do the following:

GUI

1.) Set "Split Tunnel Policy = Exclude Network List Below"

2.) Create an ACL to exclude the known local LAN (e.g. 192.168.0.0/16)

3.) Set "Split Tunnel Network =

CLI

group-policy attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value LOCAL_LAN

access-list LOCAL_LAN remark Allow Local LAN Access

access-list LOCAL_LAN standard permit 192.168.0.0 255.255.0.0

The next time you login the SSL-VPN Client will prompt you if you want to allow local LAN access. The only downside is that you have to know the local LAN and it might overlap with the networks you advertise over the SSL Tunnel.

Regards,

-Markus

You should be able to specify the local LAN without knowing it. Instead of permitting 192.168.0.0 255.255.255.0.0, try permitting

0.0.0.0 255.255.255.255

in your ACL. The client will interpret this to mean the local LAN. This document shows how to do it with the IPSec Client on the PIX:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080702992.shtml

Thanks,

Matt

ACL 0.0.0.0 255.255.255.255 for local LAN works only for the Cisco VPN Client not for the SSL Client. If you try it you will get an error message when the client tries to update the Windows route table.

Regards,

-Markus

Actually, I got Local LAN Access to work today on one machine. I tried connecting it to both an ASA running 7.2 and a VPN3k running 4.7 using excludespecified and an ACL of 0.0.0.0 255.255.255.255 (all 0s on the 3k).

That said, it failed to work and gave me an error on three other machines that I tried it on. The error said that the client was unable to successfully verify changes made to the routing table. After giving the error, the connection just fails.

All 4 machines are running WinXP SP2, but were not necessarily built from the same image. I haven't had a chance to isolate the cause, but I'm assuming it's something installed/configured on the 3 failing machines.

I would encourage anyone who wants Local LAN Access with the SVC to give it a shot. Maybe it will work for you.

I had the same issue with the Local lan access. I made a new Address pool on a new subnet and it fixed the issue.

As long as the FW is your default gateway from the inside the FW will take care of the routing.

Just add the local lan to the split tunnel list.

It worked for me so hopefully it will help you guys.

It turns out that this error occurs when the client machine has two network adapters and one does not have an IP address. Bug CSCsg03979 has been opened on the issue. If you are a registered customer with a valid service contract, you can view the details of the bug in the Bug Toolkit, accessible from this page:

http://www.cisco.com/kobayashi/support/tac/tools.shtml

Thanks,

Matt