In this tidbit I want to cover split-tunneling and local lan access by providing an overview of each & how they differ. First off split-tunneling and local lan access are two separate things. Here is a quick breakdown of each:
Split-tunneling: allows you to specifically configure what traffic is sent over the vpn tunnel, and what traffic is unencrypted and sent over internet via local network gateway. With some concern that introduces security risks.
Local Lan Access: is a hybrid solution that tunnels all traffic over VPN (encrypted), but local network access is allowed & unencrypted. Note though that the local network access is restricted to that subnet only. Essentially once configured & allowed, "Allow local LAN access" automatically detects and permits the local LAN connectivity, while tunneling & securing everything else.
A very high level example of each from ASA CLI would look like this:
Local lan cli config example: group-policy LOCAL_LAN_GP attributes split-tunnel-policy excludespecified split-tunnel-network-list value <standard acl name> split tunnel cli config example: group-policy SPLIT_TUNNEL_GP attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value <acl name> split-tunnel-all-dns disable
A high level example of each from ASDM perspective:
ASDM Group Policy config to allow local lan access:
ASDM Group Policy config to allow split-tunneling:
Overview of each from AnyConnect GUI perspective:
AnyConnect perspective when allowing local lan access:
AnyConnect perspective when allowing split-tunneling:
AnyConnect no local lan access or split tunneling allowed (tunnel & encrypt everything over VPN):
See more VPN related topics via tags or tabs. Cheers!