Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How does Anyconnect VPN Client change/affect local windows routing table?

Hello,

I have this problem:

Before connecting with Cisco Anyconnect VPN, the "route print" command on Windows XP doesn't show any special static route entry.

After connecting with Anyconnect, I can see a static route pointing to my DHCP & Novell Server (internal network interface, nothing to do with VPN). That means, that after being connected, I cannot access this server anymore, as packets are routed directly on the internal network.

This way, I have like an unwanted "Split Tunnel" situation, even though in ASA Config, in the group policy, I say to "tunnel all networks".

When I try to manually remove the static windows route, the process "vpnagent" recreates it directly afterwards.

Does anyone know how the route table modification process of Cisco Anyconnect works?

Thanks,

Best Regards

2 REPLIES
New Member

Re: How does Anyconnect VPN Client change/affect local windows r

Hi Manuel,

We have this exact same issue! But to make matters worse, this server is also our DNS server, so when we see this problem we're pretty stuck

Funny thing is: it's not all pc's having this problem!

Have you heard anything since you created this post?

/Rasmus

Cisco Employee

Re: How does Anyconnect VPN Client change/affect local windows r

Hi Manuel,

If you use "Full Tunneling" the Local LAN access is blocked unless specifically configured\allowed in the AnyConnect profile.

See below

"Local LAN Access—Allows the user complete access to the local LAN connected to the remote computer during the VPN session to the ASA".

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html

The ASA config will look something like below

1.This ACL will configure the AnyConnect client to exclude the network the client is "On", without having to define the actual network.


5540-1(config)# show runn access-list Local_LAN_Access

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list Local_LAN_Access remark VPN-Local-LAN-Access

2) Apply the access-list to the group-policy

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

Thanks,

Naman

4323
Views
0
Helpful
2
Replies