Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6628
Views
10
Helpful
2
Replies

Cisco AnyConnect 4.5.02036 - Local Printers

MatteoS
Level 1
Level 1

‎01-12-2018 12:40 AM - edited ‎03-12-2019 04:54 AM

Dear support members,

company rules forbid split tunneling but at the same time has a strong need to have the remote users able to print via their own printer at the local network, all of the users are on Cisco AnyConnect 4.5.02036 and obviously printers model could be any and local network subnet could be any and outside control of the company.

 

How I can accomplish it without using split tunneling, local lan access does not address it.

 

Best regards

 

M

Labels:
0 Helpful
2 Replies 2

mladachwi07
Level 1
Level 1

‎05-19-2018 09:26 AM

We have been using AnyConnect with the local printing feature for over a year.  We have a similar situation where all traffic from remote users is required to be passed through our headquarters WAN, and not the user's local ISP.  That created a major issue because our teleworkers could no longer print to anything except corporate printers on the corporate LAN while using AnyConnect.

 

The policy of "Tunnel All Networks" does not allow any interaction with the remote user's LAN.  It acts as if the AnyConnect client is directly on the corporate LAN.  The use of split-tunneling is required to allow the user's to print.  The "split-tunnel" combined with the proper ACL's will restrict the user's local LAN access to only printing protocols -- nothing else, so no ICMP, RDP, or file sharing will be reachable to the AnyConnect client on the user's LAN.

 

Two ACL's will need to be in place before configuring the AnyConnect Group Policy.  The first one identifies traffic for the user's local LAN:

 

! Access-List to allow the remote user's local traffic to be recognized by the Split-Tunnel
access-list Local_LAN standard permit host 0.0.0.0

 

This is basically an "allow any host", or 0.0.0.0/32.  This ACL will permit AnyConnect to recognize the network of the user's local LAN.

 

The second ACL may already be present on the device by default.  If not, it can be created.  This ACL identifies the protocols for printing to be allowed through from AnyConnect to the user's LAN:

 

! ASA default ACL to allow Local Printing

access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

 

Now that the ACL's are in place, the Group Policy of the AnyConnect Profile will need to be updated.  In ASDM, edit the Group Policy:

 

Advanced->Split Tunneling -- change the Policy to "Exclude Network List Below"

Then, change the Network List to "Local_LAN"

 

Advanced->AnyConnect Client->Client Firewall -- uncheck the box next to the Public Network Rule

Using the dropdown, select the "AnyConnect_Client_Local_Print" ACL.

(NOTE: The Cisco documentation says to select the "Private" rule -- that is not correct, and will not work!)

 

This will push down a set of Client-side firewall rules that allow access to the printers.  These rules can be seen on the Firewall tab by clicking on the gear in the lower left corner of the AnyConnect window.

 

(NOTE: There is a major flaw in Kaspersky 2017/2018 that will not allow AnyConnect to pass on the client-side firewall rules.  Kaspersky's solution is to disable their "Self Defense" feature.)

 

You can find the Cisco documentation in the ASDM Book 3 VPN Configuration Guide, right around page 75 of the PDF.  That will explain the steps above -- just keep in mind this is a "Public" rule and not "private".

 

Also be aware that configuring "split-tunnelling" could be a sore spot with a CSO or CIO.  But... once they cannot print from home their opinions will change!

 

Hope this helps.

MatteoS
Level 1
Level 1
In response to mladachwi07

‎08-02-2018 12:50 AM

Thank you very much mladachwi07, very helpful, now I have to face the CSO & CIO wound...
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents