This document describes how to allow the Cisco VPN Client or the Cisco AnyConnect Secure Mobility Client to only access their local LAN while tunneled into a Cisco Adaptive Security Appliance (ASA) 5500 Series or the ASA 5500-X Series. This configuration allows Cisco VPN Clients or the Cisco AnyConnect Secure Mobility Client secure access to corporate resources via IPsec, Secure Sockets Layer (SSL), or Internet Key Exchange Version 2 (IKEv2) and still gives the client the ability to carry out activities such as printing where the client is located. If it is permitted, traffic destined for the Internet is still tunneled to the ASA.
The information in this document is based on these software and hardware versions:
Cisco ASA 5500 Series Version 9(2)1
Cisco Adaptive Security Device Manager (ASDM) Version 7.1(6)
Cisco VPN Client Version 5.0.07.0440
Cisco AnyConnect Secure Mobility Client Version 3.1.05152
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The client is located on a typical Small Office / Home Office (SOHO) network and connects across the Internet to the main office.
Unlike a classic split tunneling scenario in which all Internet traffic is sent unencrypted, when you enable local LAN access for VPN clients, it permits those clients to communicate unencrypted with only devices on the network on which they are located. For example, a client that is allowed local LAN access while connected to the ASA from home is able to print to its own printer but not to access the Internet without first sending the traffic over the tunnel.
An access list is used in order to allow local LAN access in much the same way that split tunneling is configured on the ASA. However, instead of defining which networks should be encrypted, the access list in this case defines which networks should not be encrypted. Also, unlike the split tunneling scenario, the actual networks in the list do not need to be known. Instead, the ASA supplies a default network of 0.0.0.0/255.255.255.255, which is understood to mean the local LAN of the client.
Note: When the client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. However, you can browse or print by IP address. See the Troubleshoot section of this document for more information as well as workarounds for this situation.
Configure Local LAN Access for VPN Clients or the AnyConnect Secure Mobility Client
Complete these tasks in order to allow Cisco VPN Clients or Cisco AnyConnect Secure Mobility Clients access to their local LAN while connected to the ASA:
3847 bytes copied in 3.470 secs (1282 bytes/sec) ciscoasa#
Configure the Cisco VPN Client
Complete these steps in the VPN Client in order to allow the client to have local LAN access while connected to the ASA.
Choose your current connection entry and click Modify.
Go to the Transport tab and check Allow Local LAN Access. Click Save when you are done.
Configure the Cisco AnyConnect Secure Mobility Client
In order to configure the Cisco AnyConnect Secure Mobility Client, refer to the Establish the SSL VPN Connection with SVC section of ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example.
Split-exclude tunneling requires that you enable AllowLocalLanAccess in the AnyConnect Client. All split-exclude tunneling is regarded as local LAN access. In order to use the exclude feature of split-tunneling, you must enable the AllowLocalLanAccess preference in the AnyConnect VPN Client preferences. By default, local LAN access is disabled.
In order to allow local LAN access, and therefore split-exclude tunneling, a network administrator can enable it in the profile or users can enable it in their preferences settings (see the image in the next section). In order to allow local LAN access, a user selects the Allow Local LAN access check box if split-tunneling is enabled on the secure gateway and is configured with the split-tunnel-policy exclude specified policy. In addition, you can configure the VPN Client Profile if local LAN access is allowed with <LocalLanAccess UserControllable="true">true</LocalLanAccess>.
Here are the selections you should make in the Preferences tab on the Cisco AnyConnect Secure Mobility Client in order to allow local LAN access.
XML Profile Example
Here is an example of how to configure the VPN Client Profile with XML.
Connect with the VPN Client or the Secure Mobility Client
Connect your VPN Client to the ASA in order to verify your configuration.
Choose your connection entry from the list and click Connect.
Choose Status > Statistics... in order to display the Tunnel Details window where you can inspect the particulars of the tunnel and see the traffic flow. You can also see that Local LAN is enabled in the Transport section.
Click the Route Details tab in order to see the routes to which the VPN Client still has local access.
In this example, the VPN Client is allowed local LAN access to 192.168.0.0/24 while all other traffic is encrypted and sent across the tunnel.
Connect your Cisco AnyConnect Secure Mobility Client to the ASA in order to verify your configuration.
Choose your connection entry from the server list and click Connect.
Choose Advanced Window for All Components > Statistics... in order to display the Tunnel Mode.
Click the Route Details tab in order to see the routes to which the Cisco AnyConnect Secure Mobility Client still has local access.
In this example, the client is allowed local LAN access to 10.150.52.0/22 and 169.254.0.0/16 while all other traffic is encrypted and sent across the tunnel.
View the VPN Client Log or DART for Secure Mobility Client
When you examine the VPN Client log, you can determine whether or not the parameter that allows local LAN access is set. In order to view the log, click the Log tab in the VPN Client. Then click Log Settings in order to adjust what is logged. In this example, IKE is set to 3- High while all other log elements are set to 1 - Low.
Cisco Systems VPN Client Version 5.0.07.0440 Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 6.1.7601 Service Pack 2
1 14:20:09.532 07/27/06 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 172.22.1.160.
!--- Output is supressed
18 14:20:14.188 07/03/14 Sev=Info/5 IKE/0x6300005D Client sending a firewall request to concentrator
28 14:20:14.208 07/03/14 Sev=Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5510 Version 9.2(1) built by root on Wed 2-Jun-14 14:45 !--- Local LAN access is permitted and the local LAN is defined.
29 14:20:14.238 07/03/14 Sev=Info/5 IKE/0x6300000D MODE_CFG_REPLY: Attribute = MODECFG_UNITY_INCLUDE_LOCAL_LAN (# of local_nets), value = 0x00000001
30 14:20:14.238 07/03/14 Sev=Info/5 IKE/0x6300000F LOCAL_NET #1 subnet = 192.168.0.0 mask = 255.255.255.0 protocol = 0 src port = 0 dest port=0 !--- Output is supressed.
Cisco AnyConnect Secure Mobility Client
When you examine the AnyConnect logs from the Diagnostics and Reporting Tool (DART) bundle, you can determine whether or not the parameter that allows local LAN access is set.
Date : 11/25/2011 Time : 13:01:48 Type : Information Source : acvpndownloader
An additional way to test that the VPN Client still has local LAN access while tunneled to the VPN headend is to use the ping command at the Microsoft Windows command line. Here is an example where the local LAN of the client is 192.168.0.0/24 and another host is present on the network with an IP address of 192.168.0.3.
C:\>ping 192.168.0.3 Pinging 192.168.0.3 with 32 bytes of data:
Reply from 192.168.0.3: bytes=32 time<1ms TTL=255 Reply from 192.168.0.3: bytes=32 time<1ms TTL=255 Reply from 192.168.0.3: bytes=32 time<1ms TTL=255 Reply from 192.168.0.3: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.0.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
This section provides information you can use in order to troubleshoot your configuration.
Unable to Print or Browse by Name
When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. There are two options available in order to work around this situation:
Browse or print by IP address.
In order to browse, instead of the syntax \\sharename, use the syntax \\x.x.x.x where x.x.x.x is the IP address of the host computer.
In order to print, change the properties for the network printer in order to use an IP address instead of a name. For example, instead of the syntax \\sharename\printername, use \\x.x.x.x\printername, where x.x.x.x is an IP address.
Create or modify the VPN Client LMHOSTS file. An LMHOSTS file on a Microsoft Windows PC allows you to create static mappings between hostnames and IP addresses. For example, an LMHOSTS file might look like this:
In Microsoft Windows XP Professional Edition, the LMHOSTS file is located in %SystemRoot%\System32\Drivers\Etc. Refer to your Microsoft documentation or Microsoft knowledge base Article 314108 for more information.