Internet access for Remote VPN users

Unanswered Question
Jan 25th, 2008


I have CISCO ASA 5510 , i configured remote vpn for roming users which are connected through vpn clint .My email and one application is working fine but users wants also web browsing through it .Is their any option in ASDM , through which we manage easisly accessbility of vpn clints user (roming users)..My all vpn users are following single group.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
pjhenriqs Fri, 01/25/2008 - 03:20


The PIX/ASA has the split tunneling feature which you must configure for your remote access VPN in order to achieve what you want.

Check out this link:

What split tunneling does is basically it sends all the VPN traffic through the tunnel and everything else is sent through your normal Internet connection.



sujitkr7cisco Fri, 01/25/2008 - 11:14


Thanks i am already useing split tunnel but when i connected throug vpn client ,mail and applications are running but we are not able to use web browser.

pjhenriqs Fri, 01/25/2008 - 08:19

That's true.

The advantage of the split tunneling is that you are not adding extra latency by encrypting the "Internet" traffic, sending it to the firewall and then the other way around.

Yet split tunneling has some risk involved because if the users PC is compromised then the attacker might also have access to company resources.

The solution Arul gave solves that problem since I would guess it makes life a lot more complicated for the attacker.

I think it's a trade-off you have to decide.



sujitkr7cisco Wed, 01/30/2008 - 22:08


Thanks for your suggation .

I am using split tunnel concept but there is problem with internet access .

Thanks and regards,


fortis123 Fri, 02/01/2008 - 07:19


Not sure if this already resolved, but I had the same issue, the spili tunnel configuration was wrong from my end.

In your splittunnel ACLs, if you are tunnelling all the traffic, then this raises the issue.

Check the spilt tunnel permitted ACL and make sure, you configure with only your internal network range. (not 'ALL')




This Discussion