Please can someone let me know how (if it?s possible) to enable 'local LAN access' when using the Cisco SSL VPN client?
I have configured split tunneling to select to which ip destinations traffic will be encrypted, but I cannot see how to enable local LAN access.
To enable this feature, check Allow Local LAN Access ; to disable it, clear the check mark from the box. If the local LAN you are using is not secure, you should disable this feature.You can access up to 10 networks when this feature is enabled. When local
LAN access is enabled and you are connected to a central site, all traffic from your system goes through the IPSec tunnel except traffic to the networks excluded from doing so.
I'm presuming that your discription is for the standard Cisco VPN client, where as I'm trying to enable the feature whilst using the SSL VPN client, am I missing something?
I am having the same problem. In the SVC client there is no option to allow Local LAN access like there is in the full IPSec client.
Is something missing here or is there some secret way to allow local LAN access via the SSL VPN client?
Unfortunately there is no checkbox to allow local LAN access via the SSL VPN client. The only way I found to enable this is to do the following:
1.) Set "Split Tunnel Policy = Exclude Network List Below"
2.) Create an ACL to exclude the known local LAN (e.g. 192.168.0.0/16)
3.) Set "Split Tunnel Network =
split-tunnel-network-list value LOCAL_LAN
access-list LOCAL_LAN remark Allow Local LAN Access
access-list LOCAL_LAN standard permit 192.168.0.0 255.255.0.0
The next time you login the SSL-VPN Client will prompt you if you want to allow local LAN access. The only downside is that you have to know the local LAN and it might overlap with the networks you advertise over the SSL Tunnel.
You should be able to specify the local LAN without knowing it. Instead of permitting 192.168.0.0 255.255.255.0.0, try permitting
in your ACL. The client will interpret this to mean the local LAN. This document shows how to do it with the IPSec Client on the PIX:
ACL 0.0.0.0 255.255.255.255 for local LAN works only for the Cisco VPN Client not for the SSL Client. If you try it you will get an error message when the client tries to update the Windows route table.
Actually, I got Local LAN Access to work today on one machine. I tried connecting it to both an ASA running 7.2 and a VPN3k running 4.7 using excludespecified and an ACL of 0.0.0.0 255.255.255.255 (all 0s on the 3k).
That said, it failed to work and gave me an error on three other machines that I tried it on. The error said that the client was unable to successfully verify changes made to the routing table. After giving the error, the connection just fails.
All 4 machines are running WinXP SP2, but were not necessarily built from the same image. I haven't had a chance to isolate the cause, but I'm assuming it's something installed/configured on the 3 failing machines.
I would encourage anyone who wants Local LAN Access with the SVC to give it a shot. Maybe it will work for you.
I had the same issue with the Local lan access. I made a new Address pool on a new subnet and it fixed the issue.
As long as the FW is your default gateway from the inside the FW will take care of the routing.
Just add the local lan to the split tunnel list.
It worked for me so hopefully it will help you guys.
It turns out that this error occurs when the client machine has two network adapters and one does not have an IP address. Bug CSCsg03979 has been opened on the issue. If you are a registered customer with a valid service contract, you can view the details of the bug in the Bug Toolkit, accessible from this page: