Split tunnel with a difference

Unanswered Question
Aug 13th, 2009
User Badges:

I need to configure a VPN3020 to tunnel everthing from RA clients except a specific internet subnet

So I need clients to access all networks except the a.b.c.d/24 network which I need them to access directly from their internet connection.

I have played with the split tunnel options but cannot get this to work.

The only way I can see is to set a tunnel list and list all possible networks except the a.b.c.d/24 network

there must be an easier way?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
simplecisco Thu, 08/13/2009 - 04:32
User Badges:

We are now using a cloud based web filtering solution so clients at home need access to this directly from the laptop and also need vpn access to internal networks. I could tunnel only internal networks but that means clients could access everything on the internet. I only want to bypass the tunnel for a single internet routeable range.

simplecisco Thu, 08/13/2009 - 04:57
User Badges:

I did that but when I bring up statistics it says secured routes

No networks showing in Local Lan?

I am in the right place then.....

simplecisco Thu, 08/13/2009 - 05:38
User Badges:

Which bit? The Client config?

Where do I configure the exception?

I have the networks I do not want to tunnel in the Split Tunneling Network List.

Split Tunneling policy set to Tunnel Everything & allow networks in list to bypass tunnel is ticked.

However when connecing secured routes are not local lan routes?

simplecisco Thu, 08/13/2009 - 10:07
User Badges:

Thanks for the info, I have already tried to configure that and it achieves the result partly.

I specify the internal networks which get tunneled and everything else can go direct out the clients broadband however I want to limit what goes out direct to only a specific subnet.

For some reason the split tunnel policiy is not working.

So the only way I can see of achieving this is to create an Inside network list which consists of every network from 1-197 then every network from 199 - 255

Leaving out the required 197.*.*.* network which I want to route directly

Just need to get clever with the wildcard masks!

I have attached the screenshot again.

What you need to try is:-

1) Create a network list with

2) Configure on the clientConfig

Enable - Tunnel Everything

Enable - Allow the networks in the list to bypass the tunnel

Choose your network list in the "Split tunnel network list" for the

Then ALL traffic should be encrypted - except the 197.x.x.x

simplecisco Fri, 08/14/2009 - 05:51
User Badges:

that is what I originally tried and it didn't work. So I was racking my brains trying something else.

I will revisit it again.

thanks for all your advice


This Discussion