RA VPN on ASA and Split Tunneling

Unanswered Question
May 28th, 2009
User Badges:

Hello Forum,

I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.

I have the following....

ASA 5520 - ASA Version - 8.0(3)

Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.

For Split Tunneling Policy...

Inherit is unchecked

I have "Tunnel Network List Below"

Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or in the list.

But they can still surf the net.

I would like to block access to net. No hairpinning or internet u-turns.

How do I do this?

Any help greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Danilo Dy Sat, 05/30/2009 - 09:00
User Badges:
  • Blue, 1500 points or more

What does your Testing_spliTunnelAcl have?

To disable split tunneling, your Testing_spliTunnelAcl should only have this...


access-list Testing_splitTunnelAcl standard permit any


...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.

It may be confusing but try and see what happens.

sean-boston Mon, 06/01/2009 - 05:39
User Badges:

My split tunnel ACL has only IP addresses that I want to allow. I don't want to allow them access to the internet via split tunnel or tunneled.


This Discussion