Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

split tunnel based on remote user location

Good afternoon,

For remote vpn users, I would like to configure a dynamic vpn split tunnel depending where are they connected.

For example if a remote user is connected to ASA from italy, auth via acs radius server, a split tunnel list will be applied allowing user to access local resources, if the same user is connecting from germany, apply a split tunnel list allowing the local resources for germany office...

is it possible to achieve this? any link or documentation related?

Thanks for your support

New Member

Re: split tunnel based on remote user location

Hi their sure you can do this.

If your User conencts you have to assign him a dACL and Shared RAC based on the Network Access Profile and the NAF for your locations.


create a Network Access Filter for Germany with all your german ASAs one for Italy with all your italian ASAs etc.

create a "Germany" Shared RAC with the important german settings (DNS wins etc)

Create a "Italy" Shared RAC with the settings for Italy

create dACL (for each location)

then go and create a Network access Profile for germany and one for italy - apply the network filter and assign  under authorization the dACL and sRAC.

Should work without problems

Maybe have a look here:


Cheers Michael

New Member

Re: split tunnel based on remote user location

I am working with ACS appliance v 5.1 for radius authentication/authorization

All clients are connecting to the same central ASA.

I have found in ACS Policy Elements - End station filters - Where I think I can diffrentiate where are the clients located.

Anybody knows if end station filters refer to the clients network or to the asa?

Thnks and best regards


CreatePlease to create content