Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AnyConnect clients cannot access resources on other subnet

Solved
rxela
Here to help
‎May 18 2023 5:07 PM
‎May 18 2023 5:07 PM

AnyConnect clients cannot access resources on other subnet

Hi there,

 

We are currently using IPSec for VPN, where all clients are able to access all resources on the subnet X.Y.1.0/24. I've set up the AnyConnect subnet X.Y.59.0/24, and set up Client Routing to only send traffic going to X.Y.1.0/24.

 

One resource is at X.Y.1.201 whose SMB share I cannot access in File Explorer while on AnyConnect. However, I can ping and communicate with it in the browser. I have an entry in my (local) hostfile for it, if that helps.

 

I do not have any firewall rules denying communication between the two. I've also tried explicitly allowing, but I'm not sure if that's the right thing to do (it also didn't work). My knowledge of networking is slim, so if anyone has some pointers, that would appreciated.

Labels:
0 Kudos
Subscribe
1 Accepted Solution
rxela
Here to help
‎May 30 2023 10:38 AM
‎May 30 2023 10:38 AM

It turns out that the issue had nothing to do with the MX: It was strictly a firewall rule issue in Windows. Allowing incoming connections from X.Y.59.0/24 the appropriate services within the firewall security settings worked.

View solution in original post

0 Kudos
Subscribe
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 18 2023 5:41 PM
‎May 18 2023 5:41 PM

Local LAN access

Local LAN access may be desired when Full tunneling is configured (Send all traffic through VPN), but users still require the ability to communicate with their local network. For example, a client that is allowed local LAN access while connected to the MX in full tunnel mode is able to print to a local printer at home, while other traffic flows through the tunnel.

To enable local LAN access, two things need to be done. Local LAN access will not work if both conditions are not satisfied.

1. Configure the MX: Select "Send all traffic except traffic going to these destinations" option on the Dashboard and configure a 0.0.0.0/32 route. This will cause the AnyConnect client to automatically exclude traffic destined for the user's local network from going over the tunnel.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Local_LAN_access

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
rxela
Here to help
‎May 19 2023 9:07 AM
‎May 19 2023 9:07 AM

Hi alemabrahao,

 

Thanks for your reply. I realized that I should have been slightly clearer: X.Y.1.0/24 is the office on which there are resources that I'm trying to access.

 

My local LAN is 10.0.0.0/24 and I can access everything. I have both route 0.0.0.0/32 and the "access Local LAN" setting enabled in the Cisco Secure Client.

0 Kudos
Subscribe
In response to rxela
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 19 2023 9:14 AM
‎May 19 2023 9:14 AM

You have to validate if the remote office has source network route (Anyconncet). If yes, you need to validate if any specific network permission is required on the server.
 
Does the Remote Office use MX as well?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
rxela
Here to help
‎May 19 2023 9:18 AM
‎May 19 2023 9:18 AM

Hmm. If by remote office, you mean where I am trying to connect from (i.e. home), then no. There's no MX. The only MX is at the main office, where the server that I am trying to access is located.

 

How would I go about validating? Do you have any resources that I could look at?

0 Kudos
Subscribe
In response to rxela
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 19 2023 9:25 AM
‎May 19 2023 9:25 AM

I'm talk abou this location "X.Y.1.0/24 is the office on which there are resources that I'm trying to access."

 

 

Is this where Anyconnect is configured on the MX or is it another location?
 
 
The way you did it seems to be another location, it's kind of confusing what you're talking about.
 
 
The settings I mentioned before are to be applied to the MX where Anyconect is configured.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
rxela
Here to help
‎May 19 2023 9:34 AM
‎May 19 2023 9:34 AM

Oh, I think I understand now. Sorry for the confusion, and thank you for clarifying.

 

The answer is yes then: Anyconnect is configured at the MX at this location. To confirm, X.Y.1.0/24 is the local LAN at the main office, and the server is at X.Y.1.201.

 

I'll play around with it some more and see if I get anywhere.

0 Kudos
Subscribe
rxela
Here to help
‎May 30 2023 10:38 AM
‎May 30 2023 10:38 AM

It turns out that the issue had nothing to do with the MX: It was strictly a firewall rule issue in Windows. Allowing incoming connections from X.Y.59.0/24 the appropriate services within the firewall security settings worked.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.