08-11-2010 05:52 AM
I am configuring an SSL and IPSec VPN where I would like to tunnel all traffic except for traffic going to 10.0.0.0/16.
For the group policy I set the policy to "Exclude Network List Below", and then specified a network list which has a permit 10.0.0.0/16 statement (I have also tried making this deny).
At that point I connect to the VPN and it shows that it is "Mode: All Traffic". When I go to the route detail tab it shows a 0.0.0.0/0.0.0.0 for Secured Routes, but nothing under the Non-Secured Routes.
I've tried configuring it again from scratch, and making sure the Connection Profiles are using the correct group policy. I verified this buy changing it to split tunnel, and at that point when I connect it sets the correct network under "Secured Routes".
Any suggestions?
08-11-2010 11:57 AM
Hi ,
For IPSec VPN Client the below will work
group-policy X
split-tunnel-policy excludespecified
split-tunnel-network-list value Y
For AnyConnect Clients, In addition to above you will need to enable "Enable Local LAN Access" in the AnyConnect Profile.
You can also make this parameter User-Configurable in the profile but in any case, the XML profile needs to be configured and Pushed to the Client.
Thanks,
Naman
10-17-2013 11:04 AM
If you are using the Cisco AnyConnect client rather than the older VPN Client, you must turn on this checkbox before split-tunneling exclusions will work:
1) Open Cisco ASDM
2) Click Remote Access VPN section
3) In left-hand pane choose Network (Client) Access > AnyConnect Client Profile
4) Edit the profile and place a checkmark in the box next to Local LAN Access
5) Click OK and then disconnect/reconnect to VPN and check the AnyConnect details window for 'Route Details'. You should see your excluded networks in the 'Non-Secured Routes' section of the AnyConnect client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide