AnyConnect and Local LAN access

MarcoBri
Comes here often

AnyConnect and Local LAN access

Hi

I'm facing a strange issue when I try to access my Local LAN when connected with AnyConnect to my Corporate MX (or vMX).

I've set the AnyConnect Server to send traffic over the VPN only to specific destinations.

MarcoBri_0-1642517706427.png

 

I've deployed a Profile that allow LocalLAN access but it seems it works only in Full Tunnel mode.

 

Does anyone get same issue ?

 

Thanks

Marco

13 REPLIES 13
CptnCrnch
Kind of a big deal
Kind of a big deal

AT least with legacy Cisco gear you had to exclude 0.0.0.0/32 from your tunnel.

 

Here you tell Anyconnect to tunnel everything RFC1918 to your VPN headend, so basically it simply is doing what you're telling it to do.

MarcoBri
Comes here often

Thanks for you reply

unfortunately I cannot find a place where I can exclude 0.0.0.0/32 from Tunnel

the option is available only in Full Tunnel Mode

If you can find where, please let me know.

 

Thanks

 

PhilipDAth
Kind of a big deal
Kind of a big deal

This will be because your local LAN subnet falls within one of the subnets above - which you have told AnyConnect to forcibly send to the MX.  If you make the scopes narrower so it doesn't include your local subnet it will work.

cmr
Kind of a big deal
Kind of a big deal

As @PhilipDAth says, your local LAN is likely to be 192.168.0.0/24 or similar and covered by your forced routing.  You need to remove the network that overlaps and have more specific ones that exclude it.

MarcoBri
Comes here often

Thanks to all.

unfortunately I cannot control Local LAN Client settings and is too complicated to manage exclusions/nclusions.

I need to find another solution

 

Thanks again

cmr
Kind of a big deal
Kind of a big deal

@MarcoBri don't route 192.168.0.0/16 over the VPN.  If you are using any of it in the corporate network then re-IP those sites.  A corporate network should not use 192.168 networks unless you never intend remote access from people's homes.

MarcoBri
Comes here often

Unfortunately I cannot re-IP hundreds of networks.

those networks were assigned before allowing remote access 

PhilipDAth
Kind of a big deal
Kind of a big deal

You don't need to.  Can you not extract a list of the 192.168.0.0/16 subnets in use in the network?

 

The biggest ones to avoid are 192.168.0.0/24 and 192.168.1.0/24.

I already have the list but are more than 300, most of them subnetted , including 192.168.0.0/24 and 192.168.1.0/24.

I've realized that someone is using 192.168.80.0/24 at home !

 

A possible solution could be to send ALL traffic through the VPN and exclude 0.0.0.0/32.

In this way I can use my local LAN, any network address.

the problem is that if I terminate the AnyConnect VPN to a vMX, Internet Access is lo longer allowed.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I would look at whether you need to provide VPN access to 192.168.0.0/23.  Perhaps there are no servers that need remote access.  Problem solved.

Next, I would look into renumbering just those two networks.  You could even create a new VLAN at those sites, and renumber just the individual servers that need remote access and leave everything else "as is".

cmr
Kind of a big deal
Kind of a big deal

Lol, @PhilipDAth  I had a bite to eat mid reply and just wrote almost the same

cmr
Kind of a big deal
Kind of a big deal

If you don't want to re-IP all 192.168 networks, then I'd at least move the corporate 192.168.0.n and 192.168.1.n networks to new IP ranges and then most home users will be okay.  Home users on other IP ranges have probably chosen a different range so can change it back it they want local access.

I use 10.238.0.0/24 at home, so I worked the subnets around that:

10.224.0.0/13
10.232.0.0/14
10.236.0.0/15
10.238.1.0/24
10.238.2.0/23

 

I've given it time, connected twice, have "Allow local LAN" access enabled in the client, yet a route still gets added with higher priority pointing my subnet to the Anyconnect.  

10.238.0.0 255.255.255.0 On-link 10.238.0.126 306
10.238.0.0 255.255.255.0 On-link 10.238.3.103 2
10.238.0.1 255.255.255.255 On-link 10.238.0.126 51

 

I could forcibly create a route with a higher priority, but wondering why its doing this at all. Am I missing something?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels