Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
2
Replies

AnyConnect Local Lan Access using Extended ACL

Jean Bourassa
Level 1
Level 1

‎11-04-2015 11:24 AM - edited ‎03-11-2019 11:50 PM

Is it possible to use an Extended Access list for Local Lan Access with AnyConnect?  I am running ASA 9.4.1 and AnyConnect 4.0.x.

All of the instructions say to use something like this:

access-list Local_LAN_Access standard permit host 0.0.0.0

But I dont want to allow access to the local LAN on all ports, only the ports required for Printing.

Thanks!

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎11-05-2015 01:26 AM

Split tunneling only supports standard ACLs so what you want to do is not possible.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Jean Bourassa
Level 1
Level 1
In response to Marius Gunnerud

‎11-05-2015 07:09 AM

That's not what I am finding. Example ACL Rules for Local Printing The ACL AnyConnect_Client_Local_Print is provided with ASDM to make it easy to configure the client firewall. When you select that ACL for Public Network Rule in the Client Firewall pane of a group policy, that list contains the following ACEs: Table 3-3 ACL Rules in AnyConnect_Client_Local_Print Description Permission Interface Protocol Source Port Destination Address Destination Port Deny all Deny Public Any Default1 Any Default LPD Allow Public TCP Default Any 515 IPP Allow Public TCP Default Any 631 Printer Allow Public TCP Default Any 9100 mDNS Allow Public UDP Default 224.0.0.251 5353 LLMNR Allow Public UDP Default 224.0.0.252 5355 NetBios Allow Public TCP Default Any 137 NetBios Allow Public UDP Default Any 137 1.The port range is 1 to 65535. ________________________________________ Note To enable local printing, you must enable the Local LAN Access feature in the client profile with a defined ACL rule allow Any Any. ________________________________________ Configuring Local Print Support To enable local print support, follow these steps: ________________________________________ Step 1 Enable the SSL VPN client firewall in a group policy. Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Step 2 Select a group policy and click Edit . The Edit Internal Group Policy window displays. Step 3 Go to Advanced > SSL VPN Client > Client Firewall. Click Manage for the Private Network Rule. Step 4 Create an ACL and specify an ACE using the rules in Table 3-3 . Add this ACL as a Public Network Rule. Step 5 If you enabled the Automatic VPN Policy always-on and specified a closed policy, in the event of a VPN failure, users have no access to local resources. You can apply the firewall rules in this scenario by going to Preferences (Part 2) in the profile editor and checking Apply last local VPN resource rules . Source: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac03vpn.html
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card