VPN Split Tunneling Unsuccessful

Answered Question
Dec 3rd, 2009

I am working on creating a split tunnel to work with a test vpn group profile. We have an external proxy service that slows users down when they are VPN'd in because their web traffic then goes through us. My goal is to configure only private IP's to come through the tunnel, any requests to public IP's should go straight out the users internet connection and not VPN.

I have created an ACL on the firewall that includes all of the standard private 192, 172, and 10 scope ips and I set the vpn group profile to only tunnel based on those IP addresses.

However when I perform this testing with the Cisco AnyConnect SSL VPN client and I look at the routing tab, it still shows 0.0.0.0 0.0.0.0 to go through the VPN tunnel and isn't splitting the traffic. I have not tested this on the orginal Cisco VPN client yet.

The configuration guides that I have looked seems to show I am setting it up correctly but am I missing anything?

Thanks

I have this problem too.
0 votes
Correct Answer by busterswt about 7 years 22 hours ago

Try swapping the source and destination in that ACL, then reconnect via client VPN and see if that makes a difference. You might also try specifying the local pool network used for the client VPN instead of 'any'.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
busterswt Thu, 12/03/2009 - 17:04

Is there any chance you can post your ACLs, tunnel groups and group policies here?

Thanks,

James

ericn8484_2 Fri, 12/04/2009 - 05:20

Sure, here is my test group configuration:

object-group network DM_INLINE_NETWORK_1

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

group-policy TESTVPN internal

group-policy TESTVPN attributes

wins-server value 172.16.9.221 172.16.9.222

dns-server value 172.16.9.221 172.16.9.222

vpn-idle-timeout 600

vpn-session-timeout 600

vpn-tunnel-protocol IPSec svc webvpn

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TESTVPN

secure-unit-authentication disable

user-authentication disable

nem enable

tunnel-group TESTVPN type remote-access

tunnel-group TESTVPN general-attributes

address-pool VPN_Pool

authentication-server-group VPN_Users

default-group-policy TESTVPN

dhcp-server 10.0.0.1

tunnel-group TESTVPN webvpn-attributes

group-alias TestVPN enable

tunnel-group TESTVPN ipsec-attributes

pre-shared-key *

busterswt Fri, 12/04/2009 - 05:30

Do you have an access list named 'TESTVPN', and does it only include the networks you want traversing through the tunnel?

- James

ericn8484_2 Fri, 12/04/2009 - 05:34

Ops, I apologize that I missed that part, the ACL created looks like:

access-list TESTVPN extended permit ip any object-group DM_INLINE_NETWORK_1

Which points to this:

object-group network DM_INLINE_NETWORK_1        
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0

I did this via ADSM

Correct Answer
busterswt Fri, 12/04/2009 - 05:56

Try swapping the source and destination in that ACL, then reconnect via client VPN and see if that makes a difference. You might also try specifying the local pool network used for the client VPN instead of 'any'.

ericn8484_2 Fri, 12/04/2009 - 06:06

Great tips, I will try those suggestions later this afternoon.

Thanks!

Actions

This Discussion