Split tunnel with a difference

Unanswered Question
Aug 13th, 2009
User Badges:

I need to configure a VPN3020 to tunnel everthing from RA clients except a specific internet subnet


So I need clients to access all networks except the a.b.c.d/24 network which I need them to access directly from their internet connection.


I have played with the split tunnel options but cannot get this to work.


The only way I can see is to set a tunnel list and list all possible networks except the a.b.c.d/24 network


there must be an easier way?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
simplecisco Thu, 08/13/2009 - 04:32
User Badges:

We are now using a cloud based web filtering solution so clients at home need access to this directly from the laptop and also need vpn access to internal networks. I could tunnel only internal networks but that means clients could access everything on the internet. I only want to bypass the tunnel for a single internet routeable range.



simplecisco Thu, 08/13/2009 - 04:57
User Badges:

I did that but when I bring up statistics it says secured routes 0.0.0.0 0.0.0.0


No networks showing in Local Lan?


I am in the right place then.....



simplecisco Thu, 08/13/2009 - 05:38
User Badges:

Which bit? The Client config?


Where do I configure the exception?


I have the networks I do not want to tunnel in the Split Tunneling Network List.


Split Tunneling policy set to Tunnel Everything & allow networks in list to bypass tunnel is ticked.


However when connecing secured routes are 0.0.0.0 not local lan routes?

simplecisco Thu, 08/13/2009 - 10:07
User Badges:

Thanks for the info, I have already tried to configure that and it achieves the result partly.


I specify the internal networks which get tunneled and everything else can go direct out the clients broadband however I want to limit what goes out direct to only a specific subnet.


For some reason the split tunnel policiy is not working.


So the only way I can see of achieving this is to create an Inside network list which consists of every network from 1-197 then every network from 199 - 255


Leaving out the required 197.*.*.* network which I want to route directly


Just need to get clever with the wildcard masks!



I have attached the screenshot again.


What you need to try is:-


1) Create a network list with 197.0.0.0 255.0.0.0

2) Configure on the clientConfig

Enable - Tunnel Everything

Enable - Allow the networks in the list to bypass the tunnel

Choose your network list in the "Split tunnel network list" for the 197.0.0.0


Then ALL traffic should be encrypted - except the 197.x.x.x



simplecisco Fri, 08/14/2009 - 05:51
User Badges:

that is what I originally tried and it didn't work. So I was racking my brains trying something else.


I will revisit it again.


thanks for all your advice



Actions

This Discussion