30-04-2021



By adding an ASA and configuring VPN load balancing on each ASA, the AnyConnect terminal can automatically connect to the ASA with the lightest load. VPN load balancing has the following features. Load balancing configuration dedicated to VPN access that can be configured with 2 to 10 ASAs. Different models are also available. Clientless SSL VPN remote access has its pluses and minuses. I've found it to be more complicated to set up and customize than remote access using the VPN client.

Introduction

In this video, we'll setup AnyConnect on an ASAv with split tunneling.

This document describes how to allow the Cisco VPN Client or the Cisco AnyConnect Secure Mobility Client to only access their local LAN while tunneled into a Cisco Adaptive Security Appliance (ASA) 5500 Series or the ASA 5500-X Series. This configuration allows Cisco VPN Clients or the Cisco AnyConnect Secure Mobility Client secure access to corporate resources via IPsec, Secure Sockets Layer (SSL), or Internet Key Exchange Version 2 (IKEv2) and still gives the client the ability to carry out activities such as printing where the client is located. If it is permitted, traffic destined for the Internet is still tunneled to the ASA.

Note: This is not a configuration for split tunneling, where the client has unencrypted access to the Internet while connected to the ASA or PIX. Refer to PIX/ASA 7.x: Allow Split Tunneling for VPN Clients on the ASA Configuration Example for information on how to configure split tunneling on the ASA.

Prerequisites

Requirements

This document assumes that a functional remote access VPN configuration already exists on the ASA.

Refer to PIX/ASA 7.x as a Remote VPN Server using ASDM Configuration Example for the Cisco VPN Client if one is not already configured.

Refer to ASA 8.x VPN Access with the AnyConnect SSL VPN Client Configuration Example for the Cisco AnyConnect Secure Mobility Client if one is not already configured.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco ASA 5500 Series Version 9(2)1
  • Cisco Adaptive Security Device Manager (ASDM) Version 7.1(6)
  • Cisco VPN Client Version 5.0.07.0440
  • Cisco AnyConnect Secure Mobility Client Version 3.1.05152

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram

The client is located on a typical Small Office / Home Office (SOHO) network and connects across the Internet to the main office.

Background Information

Unlike a classic split tunneling scenario in which all Internet traffic is sent unencrypted, when you enable local LAN access for VPN clients, it permits those clients to communicate unencrypted with only devices on the network on which they are located. For example, a client that is allowed local LAN access while connected to the ASA from home is able to print to its own printer but not to access the Internet without first sending the traffic over the tunnel.

Asa Vpn Client Download

An access list is used in order to allow local LAN access in much the same way that split tunneling is configured on the ASA. However, instead of defining which networks should be encrypted, the access list in this case defines which networks should not be encrypted. Also, unlike the split tunneling scenario, the actual networks in the list do not need to be known. Instead, the ASA supplies a default network of 0.0.0.0/255.255.255.255, which is understood to mean the local LAN of the client.

Asa

Note: When the client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. However, you can browse or print by IP address. See the Troubleshoot section of this document for more information as well as workarounds for this situation.

Configure Local LAN Access for VPN Clients or the AnyConnect Secure Mobility Client

Complete these tasks in order to allow Cisco VPN Clients or Cisco AnyConnect Secure Mobility Clients access to their local LAN while connected to the ASA:

  • Configure the ASA via the ASDM or Configure the ASA via the CLI

Configure the ASA via the ASDM

Complete these steps in the ASDM in order to allow VPN Clients to have local LAN access while connected to the ASA:

  1. Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policy and select the Group Policy in which you wish to enable local LAN access. Then click Edit.
  2. Go to Advanced > Split Tunneling.
  3. Uncheck the Inherit box for Policy and choose Exclude Network List Below.
  4. Uncheck the Inherit box for Network List and then click Manage in order to launch the Access Control List (ACL) Manager.
  5. Within the ACL Manager, choose Add > Add ACL... in order to create a new access list.
  6. Provide a name for the ACL and click OK.
  7. Once the ACL is created, choose Add > Add ACE... in order to add an Access Control Entry (ACE).
  8. Define the ACE that corresponds to the local LAN of the client.
    1. Choose Permit.
    2. Choose an IP Address of 0.0.0.0
    3. Choose a Netmask of /32.
    4. (Optional) Provide a description.
    5. Click OK.

  9. Click OK in order to exit the ACL Manager.
  10. Be sure that the ACL you just created is selected for the Split Tunnel Network List.
  11. Click OK in order to return to the Group Policy configuration.
  12. Click Apply and then Send (if required) in order to send the commands to the ASA.

Configure the ASA via the CLI

Rather than use the ASDM, you can complete these steps in the ASA CLI in order to allow VPN Clients to have local LAN access while connected to the ASA:

  1. Enter configuration mode.
  2. Create the access list in order to allow local LAN access.

    Caution: Due to changes in the ACL syntax between ASA software versions 8.x to 9.x, this ACL is no longer permited and admins will see this error message when they try to configure it:
    rtpvpnoutbound6(config)# access-list test standard permit host 0.0.0.0
    ERROR: invalid IP address
    The only thing that is allowed is:
    rtpvpnoutbound6(config)# access-list test standard permit any4
    This is a known issue and has been addressed by Cisco bug ID CSCut3131. Upgrade to a version with the fix for this bug in order to be able to configure local LAN access.

  3. Enter the Group Policy configuration mode for the policy that you wish to modify.
  4. Specify the split tunnel policy. In this case, the policy is excludespecified.
  5. Specify the split tunnel access list. In this case, the list is Local_LAN_Access.
  6. Issue this command:
  7. Associate the group policy with the tunnel group
  8. Exit the two configuration modes.
  9. Save the configuration to non-volatile RAM (NVRAM) and press Enter when prompted to specify the source filename.

Configure the Cisco AnyConnect Secure Mobility Client

In order to configure the Cisco AnyConnect Secure Mobility Client, refer to the Establish the SSL VPN Connection with SVC section of ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example.

Split-exclude tunneling requires that you enable AllowLocalLanAccess in the AnyConnect Client. All split-exclude tunneling is regarded as local LAN access. In order to use the exclude feature of split-tunneling, you must enable the AllowLocalLanAccess preference in the AnyConnect VPN Client preferences. By default, local LAN access is disabled.

In order to allow local LAN access, and therefore split-exclude tunneling, a network administrator can enable it in the profile or users can enable it in their preferences settings (see the image in the next section). In order to allow local LAN access, a user selects the Allow Local LAN access check box if split-tunneling is enabled on the secure gateway and is configured with the split-tunnel-policy exclude specified policy. In addition, you can configure the VPN Client Profile if local LAN access is allowed with <LocalLanAccess UserControllable='true'>true</LocalLanAccess>.

User Preferences

Here are the selections you should make in the Preferences tab on the Cisco AnyConnect Secure Mobility Client in order to allow local LAN access.

XML Profile Example

Here is an example of how to configure the VPN Client Profile with XML.

Verify

Complete the steps in these sections in order to verify your configuration.

Connect your Cisco AnyConnect Secure Mobility Client to the ASA in order to verify your configuration.

  1. Choose your connection entry from the server list and click Connect.
  2. Choose Advanced Window for All Components > Statistics... in order to display the Tunnel Mode.
  3. Click the Route Details tab in order to see the routes to which the Cisco AnyConnect Secure Mobility Client still has local access.
    In this example, the client is allowed local LAN access to 10.150.52.0/22 and 169.254.0.0/16 while all other traffic is encrypted and sent across the tunnel.

Cisco AnyConnect Secure Mobility Client

When you examine the AnyConnect logs from the Diagnostics and Reporting Tool (DART) bundle, you can determine whether or not the parameter that allows local LAN access is set.

Test Local LAN Access with Ping

An additional way to test that the VPN Client still has local LAN access while tunneled to the VPN headend is to use the ping command at the Microsoft Windows command line. Here is an example where the local LAN of the client is 192.168.0.0/24 and another host is present on the network with an IP address of 192.168.0.3.

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

Unable to Print or Browse by Name

When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. There are two options available in order to work around this situation:

  • Browse or print by IP address.
    • In order to browse, instead of the syntax sharename, use the syntax x.x.x.x where x.x.x.x is the IP address of the host computer.
    • In order to print, change the properties for the network printer in order to use an IP address instead of a name. For example, instead of the syntax sharenameprintername, use x.x.x.xprintername, where x.x.x.x is an IP address.
  • Create or modify the VPN Client LMHOSTS file. An LMHOSTS file on a Microsoft Windows PC allows you to create static mappings between hostnames and IP addresses. For example, an LMHOSTS file might look like this:
    In Microsoft Windows XP Professional Edition, the LMHOSTS file is located in %SystemRoot%System32DriversEtc. Refer to your Microsoft documentation or Microsoft knowledge base Article 314108 for more information.

Related Information

The Five Best Remote Access Apps For IPad - About.com Tech
Find out about the top 5 remote access apps for the iPad. Learn more about the strengths of each app, and how they can help you work from your iPad as if you were sitting in front of your office computer. ... Read Article

Cisco ASA 5500 Series Getting Started Guide - Digitcom
ASA 5500 with AIP SSM Perform initial setup of the adaptive security appliance Chapter 7, “Configuring the Adaptive Security Appliance About Clientless SSL VPN 11-2 Cisco ASA 5500 Series Getting Started Guide 78-18002-01 ... Return Doc

Cisco Sample Config File: - Digi International
Configure a VPN between. Cisco ASA and the Digi Connect WAN. Introduction. This is an example configuration of configuring an IPsec VPN tunnel from a Digi Cellular VPN device, such as a ConnectPort WAN VPN, to a Cisco ASA-based firewall. ... Read Content

Cisco ASA Configuration For SMS PASSCODE
Cisco ASA configuration for SMS PASSCODE Side 5 af 15 11. You have now set up the Cisco ASA for SMS PASSCODE® two-factor authentication. Optional setup of the VPN concentrator using command line ... Fetch This Document

Asa Vpn Client Internet Access

Secure Socket Tunneling Protocol - Wikipedia, The Free ...
Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. ... Read Article

Cisco Asa 5510 Configuration Guide Asdm
Cisco ASA 5510 Firewall setup using CLI and ASDM - Part 1 - Duration: 16:11. by Howithink. TheGreenBow IPSec VPN Client Configuration Guide Cisco ASA 5510 VPN version tgbvpn_ug_Cisco-ASA-5510_en 1.3 – Oct 2008 4.x asdm image. >>>CLICK HERE<<< ... View Doc

How To Configure Some Basic Firewall And VPN Scenarios
Configure Some Basic Firewall and VPN Scenarios. Page 2 | AlliedWare ™ OS How To Note: Firewall and VPN Basics Introduction > Related How To Notes These six configuration examples are as general as possible, and no actual IP addresses have ... Retrieve Full Source

Cisco ASA: All-in-One Firewall, IPS, Anti-X, And VPN Adaptive ...
Cisco ASA All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, Second Edition Jazib Frahim, CCIE No. 5459 Omar Santos Cisco Press ... Read More

Firewall (networking) - Simple English Wikipedia, The Free ...
Originally, a firewall was a wall that was built to stop (or slow down) the spread of a fire. In terms of computer security, a firewall is a piece of software. ... Read Article

Cisco Vpn Client Configuration Example
Refer to ASA 8.x VPN Access with the AnyConnect SSL VPN Client Configuration Example for the Cisco This is going to be a quick guide on how to setup VPN access on your Cisco router (in my case a Cisco 887 router with VDSL) for remote clients to access. ... Retrieve Document

Cisco Asa Vpn Client Download

LAN-Cell To Cisco ASAVPN Example - Proxicast
LCTN0014: Cisco ASA VPN Example Page 7 LAN-Cell VPN Setup. To configure the LAN-Cell 2, we can use the VPN Wizard under the Security menu. Figure 9 shows Step 1 of the LAN-Cell’s VPN Wizard where the Gateway Policy Name, LAN-Cell’s static WAN IP Address and the ... Fetch Full Source

Cisco VPN Configuration Guide: Step-By-Step Configuration Of ...
Cisco VPN Configuration Guide: Step-By-Step Configuration Of Cisco VPNs For ASA And Routers By Harris Andrea Step By Step Guide To Setup Remote Access VPN In ... Read Here

Cisco PIX - Wikipedia, The Free Encyclopedia
Cisco PIX (Private Internet eXchange) is a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment. ... Read Article

Cisco ASA AnyConnect Remote Access VPN ... - YouTube
Http:--www.soundtraining.net-cisco-asa-t­raining-101 Learn how to install and configure a Cisco ASA Security Appliance with an AnyConnect SSL VPN in this Cisco ASA tutorial video. IT author-speaker Don Crawley demonstrates how to set up the VPN, plus he shows a commonly overlooked ... View Video

Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA ...
(1RU, ASA 5505, 5510, 5520, 5540 and 5550), two-rack unit (2RU, ASA 5585-10, 5585-20, 5585-40 and 5585-60) and four-rack unit (4RU, ASA 5580-20 and 5580-40) design supports up 5 VPN Figure 13 – Cisco ASA 5585-X Series Security Appliance Rear Panel ... Doc Retrieval

Cisco ASA QUICKStart - SafeNet, Inc.
The Cisco AnyConnect SSL VPN client is very different from the IPSec VPN client. The Cisco ASA device can dynamically display login field names and login field based on the settings defined in each Group Profile. ... Document Retrieval

How To Setup A Remote Access VPN - Check Point
How To Setup a Remote Access VPN Objective This document covers the basics of configuring remote access to a Check Point firewall. It does not cover all possible configurations, clients or authentication methods. There are individual documents on advanced ... Get Doc

Site-to-site Type Of VPN On A USG 50
ZyWALL USG-Series How to setup a Site-to-site VPN connection between two ZyWALL USG series. ... View Document

Linksys RV042 - TheGreenBow VPN Client
In our VPN network example (diagram hereafter), we will connect TheGreenBow IPSec VPN Client software to the LAN behind the Linksys RV042 router. ... Get Doc

Application Note On ASA5505 VPN To RV042
I got the VPN up between the RV042 and my ASA5505. I was a bit perplexed during this process, as i kept on getting ISAKMP proposals failing. Then i noticed that my RV042 ... Get Document

Cisco ASAVPN Client Configuration
Cisco ASA VPN Client Configuration Wednesday, 08 May 2013 00:00 - Last Updated Sunday, 22 September 2013 19:27 Presuming the following network setup: Office LAN: 192.168.2.0 255.255.255.0 VPN Client IP Range: 10.10.10.0 255.255.255.0 ... Read Full Source

SonicWALL IKE / IPSec Implementation FAQ
I PLEMENTATION M SonicWALL IKE / IPSec VPN Implementation FAQ unless this is a site-to-site setup with another security appliance running Enhanced firmware, the Cisco PIX and ASA version 5.3.1 and newer ... Retrieve Content

Installation Guide For Securing The Authentication To Your ...
Step by step guide to implement SMS authentication to Cisco ASA 5500 - Clientless SSL VPN and Cisco VPN This is a complete installation guide for securing the authentication to your Cisco ASA 5500 Clientless ... Retrieve Document