Hi swasserroth

Solomon Sands · ‎11-25-2015

Hello All,

I upgraded ASA version from 9.1(2) to 9.3(2). My AnyConnect was set up according to http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html for Local Lan Access. Prior to upgrade I could see under Route Details the Unsecured Routes of my Local Lan. After the upgrade I can no longer see this, only that 0.0.0.0/0 is a secured route, and I cannot access Local Lan. The original 'permit 0.0.0.0' was removed and I cannot add it back, the ASA is now telling me that I have to use 'any4' to represent this.

I have added it back in but to no avail.

group-policy GroupPolicy_xxxx attributes
banner value ---- WARNING ----
banner value This is a private network. Unauthorized use is prohibited.
banner value Use of this network constitutes consent to monitoring.
wins-server none
dns-server value 10.151.1.6 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy excludespecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value xxxx_LocalLan_acl
default-domain value xxxx.com
address-pools value AnyConnectPool

I have tried the following for xxxx_LocalLan_acl:

access-list xxxx_LocalLan_acl extended permit ip object AnyConnectObject any4

access-list xxxx_LocalLan_acl standard permit any4

access-list xxxx_LocalLan_acl extended permit any4 any4

access-list xxxx_LocalLan_acl extended deny ip object AnyConnectObject any4

access-list xxxx_LocalLan_acl standard deny any4

access-list xxxx_LocalLan_acl extended deny any4 any4

The Client profiles have 'Allow Local Lan Access' enabled and clients cannot turn this off

girafskind · ‎01-21-2016

Hi Solomon

Did you find a solution to this?

I ran into this problem after i upgraded an ASA to 9.3. To allow Local Lan Access, you're right about the 'split-tunnel-policy excludespecified' and 'split-tunnel-network-list value xxxx_LocalLan_acl'.

But what you need to add into the ACL is:

access-list xxxx_LocalLan_acl standard permit host 0.0.0.0

or

access-list xxxx_LocalLan_acl standard permit 0.0.0.0 255.255.255.255

But my problem is that the ASA 9.3 won't accept the 'host 0.0.0.0', as far as i found out, it's because of a bug in the ASA software.

CSCut31315

https://tools.cisco.com/bugsearch/bug/CSCuw57991

Did you find a solution? I haven't yet, except up/downgrade

Regards Bo

Solomon Sands · ‎03-17-2016

Negative. I opened a TAC case and requested a Bug report, but nothing came of it. I rolled back to 9.1.6 for now.

Marcel Maeder · ‎07-08-2016

Sorry for digging out old threads. You can use local lan access with an extended access list with a host object with the IP 0.0.0.0 as source.

Unfortunately I didn't find out how to do this with IPv6

object network obj-0.0.0.0
 host 0.0.0.0
access-list LOCAL-LAN-ACCESS extended permit ip object obj-0.0.0.0 any4

swasserroth · ‎07-15-2016

I think, I have found out a working configuration (running 9.4.6.2):

access-list acl-remVPN-splitv4v6 remark remote VPN with local LAN access: split network list
access-list acl-remVPN-splitv4v6 extended permit ip host 0.0.0.0 any4
access-list acl-remVPN-splitv4v6 extended permit ip host :: any6

group-policy VPNusers_with_dual_stack_and_local_LAN_access attributes
split-tunnel-policy excludespecified
ipv6-split-tunnel-policy excludespecified
split-tunnel-network-list value acl-remVPN-splitv4v6

Marcel Maeder · ‎07-15-2016

Hi swasserroth

Yes, with this configuration it works for IPv6 too.

Philip D'Ath · ‎01-21-2016

You should be using a "standard" acl, not an extended one. And it should only have the destination networks listed, and change it to being an inclusion policy.

For example:

split-tunnel-policy tunnelspecified
access-list xxxx_LocalLan_acl standard permit 10.0.0.0 255.0.0.0

ASA 9.3(2) AnyConnect Local Lan Access