we've got a problem with split tunneling and Anyconnect clients. Basically, our policy for remote access users is as follows: local LAN traffic should be allowed directly (eg. local printing), everything else should go through the tunnel. This works pretty fine with the Cisco IPsec VPN Client.
In contrary to that, it doesn't work while using Anyconnect clients. I can't use the exclude-parameter, so my only chance would be to define an ACE, that tunnels traffic for specific networks.
Our problem now is, that we can't tell the ASA to tunnel traffic only for network A oder B. The ASA should tunnel the entire traffic EXCEPT local LAN access. Is is possible to tell the ASA this policy for Anyconnect connections like we did it on the IPsec Group policy?
Our IPsec Group Policy settings:
split-tunnel-network-list value Local_LAN_Access
access-list Local_LAN_Access standard permit host 0.0.0.0
The documentation says, that we cannot use this "excludespecified" parameter for SSL connections, only for IPsec connection.
The above configuration should work for AnyConnect. The only caveat with AnyConnect is that starting with 2.3 and later, local LAN access is disabled by default. You can enable it manually by clicking on the "preferences" button next to the "connect to" box or via XML profile. Once enabled and connected, you should see two route panels on the route details tab, one for non-secured and one for secured routes. Please verify that you have tested the above. If you are still having issues, I can try mocking it up in my lab.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...