PDF(920.3 KB) View with Adobe Reader on a variety of devices
ePub(1.0 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(707.1 KB) View on Kindle device or Kindle app on multiple devices
Updated:October 4, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure Cisco Secure Client to access the Local LAN and still maintain a secure connection to the headend.
Cisco recommends that you have knowledge on these topics:
Cisco Secure Firewall Management Center (FMC)
Cisco Firepower Threat Defense (FTD)
Cisco Secure Client (CSC)
The information in this document is based on these software and hardware versions:
Cisco Secure Firewall Management Center Virtual Appliance Version 7.3
Cisco Firepower Threat Defense Virtual Appliance Version 7.3
Cisco Secure Client Version 5.0.02075
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The configuration described on this document allows Cisco Secure Client to have full access to the local LAN while still maintaining a secure connection to the headend and corporate resources. This can be used to allow the client to print or access a Network Access Server (NAS).
In this document, it is assumed that you already have a working Remote Access VPN configuration.
To add the Local LAN access capability, navigate to Devices > Remote Access and click the Edit button on the appropriate Remote Access policy.
Then, navigate to Advanced > Group Policies.
Click the Edit button on the Group Policy where you want to configure Local LAN Access and navigate to the Split Tunneling tab.
On the IPv4 Split Tunneling section, select the Exclude networks specified below option. This prompts for a Standard Access List selection.
Click the + button to create a new Standard Access List.
Click the Add button to create a Standard Access List Entry. The Action of this entry must be set to Allow.
Click the + button to add a new Network Object. Ensure that this object is set as a Host on the Network section and enter 0.0.0.0 in the box.
Click the Save button and select the newly created object.
Click the Add button to save the Standard Access List entry.
Click the Save button and the newly created Standard Access List is automatically selected.
Click the Save button and deploy the changes.
Secure Client configuration
By default, the Local LAN Access option is set to User Controllable. To enable the option, click the Gear icon on the Secure Client GUI.
Navigate to Preferences and ensure that the Allow local (LAN) access when using VPN (if configured) option is enabled.
Connect to the headend using the Secure Client.
Click the gear icon and navigate to Route Details. Here you can see that the local LAN is automatically detected and excluded from the tunnel.
To verify if the configuration was applied successfuly, you can use the CLI of the FTD.