Cisco Anyconnect Local Lan Access



It can import Cisco VPN client profiles. I have used Cisco VPN Client version 5.0.05.0290, and after installing the Shrew VPN (version 2.1.7) and importing Cisco profile, I was able to access local LAN while connected to corporate VPN without any additional configuration of Shrew VPN connection (or software). The Cisco VPN client can be hacked to bypass the local LAN access policy. I had a user do this successfully several months ago (the ability to do this was corrected in a newer release of the VPN.

  1. Cisco Anyconnect Keep Local Lan Access
  2. Cisco Anyconnect Local Lan Access
  3. Cisco Anyconnect Updates
  4. Cisco Anyconnect Log In
  5. Cisco Anyconnect Local Lan Access

Introduction

This document describes how to allow the Cisco VPN Client or the Cisco AnyConnect Secure Mobility Client to only access their local LAN while tunneled into a Cisco Adaptive Security Appliance (ASA) 5500 Series or the ASA 5500-X Series. This configuration allows Cisco VPN Clients or the Cisco AnyConnect Secure Mobility Client secure access to corporate resources via IPsec, Secure Sockets Layer (SSL), or Internet Key Exchange Version 2 (IKEv2) and still gives the client the ability to carry out activities such as printing where the client is located. If it is permitted, traffic destined for the Internet is still tunneled to the ASA.

Note: This is not a configuration for split tunneling, where the client has unencrypted access to the Internet while connected to the ASA or PIX. Refer to PIX/ASA 7.x: Allow Split Tunneling for VPN Clients on the ASA Configuration Example for information on how to configure split tunneling on the ASA.

Prerequisites

Requirements

This document assumes that a functional remote access VPN configuration already exists on the ASA.

Refer to PIX/ASA 7.x as a Remote VPN Server using ASDM Configuration Example for the Cisco VPN Client if one is not already configured.

Refer to ASA 8.x VPN Access with the AnyConnect SSL VPN Client Configuration Example for the Cisco AnyConnect Secure Mobility Client if one is not already configured.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco ASA 5500 Series Version 9(2)1
  • Cisco Adaptive Security Device Manager (ASDM) Version 7.1(6)
  • Cisco VPN Client Version 5.0.07.0440
  • Cisco AnyConnect Secure Mobility Client Version 3.1.05152

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram

The client is located on a typical Small Office / Home Office (SOHO) network and connects across the Internet to the main office.

Background Information

Unlike a classic split tunneling scenario in which all Internet traffic is sent unencrypted, when you enable local LAN access for VPN clients, it permits those clients to communicate unencrypted with only devices on the network on which they are located. For example, a client that is allowed local LAN access while connected to the ASA from home is able to print to its own printer but not to access the Internet without first sending the traffic over the tunnel.

An access list is used in order to allow local LAN access in much the same way that split tunneling is configured on the ASA. However, instead of defining which networks should be encrypted, the access list in this case defines which networks should not be encrypted. Also, unlike the split tunneling scenario, the actual networks in the list do not need to be known. Instead, the ASA supplies a default network of 0.0.0.0/255.255.255.255, which is understood to mean the local LAN of the client.

Note: When the client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. However, you can browse or print by IP address. See the Troubleshoot section of this document for more information as well as workarounds for this situation.

Configure Local LAN Access for VPN Clients or the AnyConnect Secure Mobility Client

Cisco Anyconnect Keep Local Lan Access

Complete these tasks in order to allow Cisco VPN Clients or Cisco AnyConnect Secure Mobility Clients access to their local LAN while connected to the ASA:

  • Configure the ASA via the ASDM or Configure the ASA via the CLI

Configure the ASA via the ASDM

Complete these steps in the ASDM in order to allow VPN Clients to have local LAN access while connected to the ASA:

  1. Choose Configuration > Remote Access VPN > Network (Client) Access > Group Policy and select the Group Policy in which you wish to enable local LAN access. Then click Edit.
  2. Go to Advanced > Split Tunneling.
  3. Uncheck the Inherit box for Policy and choose Exclude Network List Below.
  4. Uncheck the Inherit box for Network List and then click Manage in order to launch the Access Control List (ACL) Manager.
  5. Within the ACL Manager, choose Add > Add ACL... in order to create a new access list.
  6. Provide a name for the ACL and click OK.
  7. Once the ACL is created, choose Add > Add ACE... in order to add an Access Control Entry (ACE).
  8. Define the ACE that corresponds to the local LAN of the client.
    1. Choose Permit.
    2. Choose an IP Address of 0.0.0.0
    3. Choose a Netmask of /32.
    4. (Optional) Provide a description.
    5. Click OK.

  9. Click OK in order to exit the ACL Manager.
  10. Be sure that the ACL you just created is selected for the Split Tunnel Network List.
  11. Click OK in order to return to the Group Policy configuration.
  12. Click Apply and then Send (if required) in order to send the commands to the ASA.

Configure the ASA via the CLI

Rather than use the ASDM, you can complete these steps in the ASA CLI in order to allow VPN Clients to have local LAN access while connected to the ASA:

  1. Enter configuration mode.
  2. Create the access list in order to allow local LAN access.

    Caution: Due to changes in the ACL syntax between ASA software versions 8.x to 9.x, this ACL is no longer permited and admins will see this error message when they try to configure it:
    rtpvpnoutbound6(config)# access-list test standard permit host 0.0.0.0
    ERROR: invalid IP address
    The only thing that is allowed is:
    rtpvpnoutbound6(config)# access-list test standard permit any4
    This is a known issue and has been addressed by Cisco bug ID CSCut3131. Upgrade to a version with the fix for this bug in order to be able to configure local LAN access.

  3. Enter the Group Policy configuration mode for the policy that you wish to modify.
  4. Specify the split tunnel policy. In this case, the policy is excludespecified.
  5. Specify the split tunnel access list. In this case, the list is Local_LAN_Access.
  6. Issue this command:
  7. Associate the group policy with the tunnel group
  8. Exit the two configuration modes.
  9. Save the configuration to non-volatile RAM (NVRAM) and press Enter when prompted to specify the source filename.

Configure the Cisco AnyConnect Secure Mobility Client

In order to configure the Cisco AnyConnect Secure Mobility Client, refer to the Establish the SSL VPN Connection with SVC section of ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example.

Split-exclude tunneling requires that you enable AllowLocalLanAccess in the AnyConnect Client. All split-exclude tunneling is regarded as local LAN access. In order to use the exclude feature of split-tunneling, you must enable the AllowLocalLanAccess preference in the AnyConnect VPN Client preferences. By default, local LAN access is disabled.

In order to allow local LAN access, and therefore split-exclude tunneling, a network administrator can enable it in the profile or users can enable it in their preferences settings (see the image in the next section). In order to allow local LAN access, a user selects the Allow Local LAN access check box if split-tunneling is enabled on the secure gateway and is configured with the split-tunnel-policy exclude specified policy. In addition, you can configure the VPN Client Profile if local LAN access is allowed with <LocalLanAccess UserControllable='true'>true</LocalLanAccess>.

User Preferences

Here are the selections you should make in the Preferences tab on the Cisco AnyConnect Secure Mobility Client in order to allow local LAN access.

XML Profile Example

Here is an example of how to configure the VPN Client Profile with XML.

Verify

Complete the steps in these sections in order to verify your configuration.

Connect your Cisco AnyConnect Secure Mobility Client to the ASA in order to verify your configuration.

  1. Choose your connection entry from the server list and click Connect.
  2. Choose Advanced Window for All Components > Statistics... in order to display the Tunnel Mode.
  3. Click the Route Details tab in order to see the routes to which the Cisco AnyConnect Secure Mobility Client still has local access.
    In this example, the client is allowed local LAN access to 10.150.52.0/22 and 169.254.0.0/16 while all other traffic is encrypted and sent across the tunnel.

Cisco AnyConnect Secure Mobility Client

When you examine the AnyConnect logs from the Diagnostics and Reporting Tool (DART) bundle, you can determine whether or not the parameter that allows local LAN access is set.

Test Local LAN Access with Ping

An additional way to test that the VPN Client still has local LAN access while tunneled to the VPN headend is to use the ping command at the Microsoft Windows command line. Here is an example where the local LAN of the client is 192.168.0.0/24 and another host is present on the network with an IP address of 192.168.0.3.

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

Unable to Print or Browse by Name

When the VPN Client is connected and configured for local LAN access, you cannot print or browse by name on the local LAN. There are two options available in order to work around this situation:

  • Browse or print by IP address.
    • In order to browse, instead of the syntax sharename, use the syntax x.x.x.x where x.x.x.x is the IP address of the host computer.
    • In order to print, change the properties for the network printer in order to use an IP address instead of a name. For example, instead of the syntax sharenameprintername, use x.x.x.xprintername, where x.x.x.x is an IP address.
  • Create or modify the VPN Client LMHOSTS file. An LMHOSTS file on a Microsoft Windows PC allows you to create static mappings between hostnames and IP addresses. For example, an LMHOSTS file might look like this:
    In Microsoft Windows XP Professional Edition, the LMHOSTS file is located in %SystemRoot%System32DriversEtc. Refer to your Microsoft documentation or Microsoft knowledge base Article 314108 for more information.

Related Information

Introduction

This document provides a sample configuration of how to configure an IOS/IOS-XE headend for remote access using AnyConnect IKEv2 and AnyConnect-EAP authentication method with local user database.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • IKEv2 protocol

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Cloud Services Router running IOS XE 16.9.2
  • AnyConnect client version 4.6.03049 running on Windows 10

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

AnyConnect-EAP, also known as aggregate authentication, allows a Flex Server to authenticate the AnyConnect client using the Cisco proprietary AnyConnect-EAP method. Unlike standard based Extensible Authentication Protocol (EAP) methods such as EAP-Generic Token Card (EAP-GTC), EAP- Message Digest 5 (EAP-MD5) and so on, the Flex Server does not operate in EAP pass-through mode. All EAP communication with the client terminates on the Flex Server and the required session key used to construct the AUTH payload is computed locally by the Flex Server. The Flex Server has to authenticate itself to the client using certificates as required by the IKEv2 RFC.

Cisco Anyconnect Local Lan Access

Local user authentication is now supported on the Flex Server and remote authentication is optional. This is ideal for small scale deployments with less number of remote access users and in environments with no access to an external Authentication, Authorization, and Accounting (AAA) server. However, for large scale deployments and in scenarios where per-user attributes are desired it is still recommended to use an external AAA sever for authentication and authorization. The AnyConnect-EAP implementation permits the use of Radius for remote authentication, authorization and accounting.

Network Diagram

Configure

Authenticating and Authorizating users using the Local Database

Note: In order to authenticate users against the local database on the router, EAP needs to be used. However, in order to use EAP, the local authentication method has to be rsa-sig, so the router needs a proper certificate installed on it, and it can't be a self-signed certificate.

Sample configuration that uses local user authentication, remote user and group authorization and remote accounting.

Step 1. Enable AAA, and configure authentication, authorization and accounting lists and add a username to the local database:

Step 2. Configure a trustpoint that will hold the router certificate. PKCS12 file import is used in this example. For other options, please consult the PKI (Public Key Infrastructure) configuration guide:


https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-cert-enroll-pki.html

Step 3. Define an IP local pool to assign addresses to AnyConnect VPN clients:

Step 4. Create an IKEv2 local authorization policy:

Step 5 (Optional). Create desired IKEv2 proposal and policy. If not configured, smart defaults will be used:

Step 6. Create AnyConnect profile

Note: The AnyConnect profile needs to be delivered to the client machine. Please refer to the next section for more information.

Configure the client profile using the AnyConnect Profile Editor as shown in the image:

Cisco Anyconnect Local Lan Access

Click 'Add' to create an entry for the VPN gateway. Make sure to select 'IPsec' as 'Primary Protocol'. Uncheck the 'ASA gateway' option.

Save the profile by going to FIle -> Save As. The XML equivalent of the profile:

Note: AnyConnect uses '*$AnyConnectClient$*' as its default IKE identity of type key-id. However, this identity can be manually changed in the AnyConnect profile to match deployment needs.

Note: In order to upload the XML profile to the router, IOS-XE 16.9.1 version or later is required. If older version of IOS-XE software is used, the profile download capability needs to be disabled on the client. Please refer to the section 'Disabling the AnyConnect downloader capability' for more information.

Upload the created XML profile to the flash memory of the router and define the profile:

Note: The filename used for AnyConnect XML profile should be acvpn.xml.

Step 7. Create an IKEv2 profile for AnyConnect-EAP method of client authentication.

Note: Configuring the remote authentication method before the local authentication method will be accepted by the CLI, but will not take effect on versions that do not have the fix for the enhancement request CSCvb29701, if the remote authentication method is eap. For these versions, when configuring eap as the remote authentication method, ensure the local authentication method is configured as rsa-sig first. This problem is not seen with any other form of remote authentication method.

Note: On versions of code affected by CSCvb24236 , once remote authentication is configured before local authentication, the remote authentication method can no longer be configured on that device. Please upgrade to a version that has the fix for this code.

Step 8. Disable HTTP-URL based certificate lookup and HTTP server on the router:

Note: Referthis document to confirm whether your router hardware supports the NGE encryption algorithms (for example the example above has NGE algorithms). Otherwise IPSec SA installation on the hardware will fail at the last stage of negotiation.

Step 9. Define the encryption and hash algorithms used to protect data

Step 10. Create an IPSec profile:

Step 11. Configure a loopback interface with some dummy IP address. The Virtual-Access interfaces will borrow the IP address from it.

Step 12. Configure a virtual-template (associate the template in the IKEv2 profile)

Steap 13 (Optional). By default, all traffic from the client will be sent through the tunnel. You can configure split tunnel, which allows only selected traffic to go through the tunnel.

Step 14 (Optional). If all traffic is required to go through the tunnel, you may configure NAT in order to allow internet connectivity for remote clients.

Disabling the AnyConnect downloader capability (optional).

This step is only necessary if IOS-XE software version older than 16.9.1 is being used. Prior to IOS-XE 16.9.1 the capability to upload the XML profile to the router was not available. The AnyConnect client tries to perform download of the XML profile after successful login by default. If the profile is not available, the connection fails. As a workaround, it is possible to disable the AnyConnect profile download capability on the client itself. In order to do that, the following file can be modified:

The 'BypassDownloader' option should be set to 'true', for example:

After the modification, the AnyConnect client needs to be restarted.

AnyConnect XML profile delivery

With the fresh installation of the AnyConnect (with no XML profiles added), the user is able to manually enter the FQDN of the VPN gateway in the address bar of AnyConnect client. This results in the SSL connection to the gateway. The AnyConnect client will not attempt to establish the VPN tunnel with IKEv2/IPsec protocols by default. This is the reason why having XML profile installed on the client is mandatory to establish the IKEv2/IPsec tunnel with IOS-XE VPN gateway.

The profile is used when it is being selected from the drop-down list of AnyConnect address bar. The name that will appear is the same name as specified in 'Display Name' in AnyConnect profile editor. In this example the user should select the following:

The XML profile can be manually put into the following directory:

The AnyConnect client needs to be restarted in order for the profile to become visible in the GUI. It's not sufficient to close the AnyConnect window. The process can be restarted by right-clicking AnyConnect icon in the Windows tray and selecting 'Quit' option:

Communication flow

IKEv2 and EAP exchange

Verify

Cisco Anyconnect Updates

Use this section in order to confirm that your configuration works properly.

Troubleshoot

Cisco Anyconnect Log In

This section provides information you can use in order to troubleshoot your configuration.

Cisco Anyconnect Local Lan Access

  1. IKEv2 debugs to collect from the headend:
  2. AAA debugs to see assignment of local and/or remote attributes:
  3. DART from the AnyConnect client.