08-11-2010 05:52 AM
I am configuring an SSL and IPSec VPN where I would like to tunnel all traffic except for traffic going to 10.0.0.0/16.
For the group policy I set the policy to "Exclude Network List Below", and then specified a network list which has a permit 10.0.0.0/16 statement (I have also tried making this deny).
At that point I connect to the VPN and it shows that it is "Mode: All Traffic". When I go to the route detail tab it shows a 0.0.0.0/0.0.0.0 for Secured Routes, but nothing under the Non-Secured Routes.
I've tried configuring it again from scratch, and making sure the Connection Profiles are using the correct group policy. I verified this buy changing it to split tunnel, and at that point when I connect it sets the correct network under "Secured Routes".
Any suggestions?
08-11-2010 11:57 AM
Hi ,
For IPSec VPN Client the below will work
group-policy X
split-tunnel-policy excludespecified
split-tunnel-network-list value Y
For AnyConnect Clients, In addition to above you will need to enable "Enable Local LAN Access" in the AnyConnect Profile.
You can also make this parameter User-Configurable in the profile but in any case, the XML profile needs to be configured and Pushed to the Client.
Thanks,
Naman
10-17-2013 11:04 AM
If you are using the Cisco AnyConnect client rather than the older VPN Client, you must turn on this checkbox before split-tunneling exclusions will work:
1) Open Cisco ASDM
2) Click Remote Access VPN section
3) In left-hand pane choose Network (Client) Access > AnyConnect Client Profile
4) Edit the profile and place a checkmark in the box next to Local LAN Access
5) Click OK and then disconnect/reconnect to VPN and check the AnyConnect details window for 'Route Details'. You should see your excluded networks in the 'Non-Secured Routes' section of the AnyConnect client.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: