I can not get spilt tunnel to work on my production router
int serial 0/0/0
ip add x.x.x.x x.x.x.x.x
ip nat outside
crypto map ipsec-map
int fast 0/0
ip add y.y.y.y y.y.y.y
ip nat inside
ip nat source inside list 101 interface serial 0/0/0 overload
access-list 101 deny ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.255.255 log
access-list 101 permit ip 192.168.2.0 0.0.0.255 any log
crypto map acl
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.255.255 log
I can only get one or the other to work but not together.
Your thoughts are much appreciated. I have read about the order of operations with NAT, but still not dice.
I have had a similar problem and got around it by using a nat pool and route map...this enabled me to to split tunnel. Firstly take out your line ip nat source inside list 101 interface serial 0/0/0 overload then add the following.
ip nat pool 'name of pool' 'ip ext from' 'ip ext to(can be the same as ip ext to' netmask 255.255.255.252
ip nat inside source route-map nonat pool 'name of pool' overload
route-map nonat permit 10
match ip address 101
hope it works for you