Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Split-tunnel Problem

I have a strange issue with split-tunnel operation on a PIX firewall.

There is a VPN client connection configured, which works find. However split tunnel is configured which allows simultanious access to the internal network, and the internet. But by my reading of the configuration it shouldn't!! The split tunnel ACL matches any traffic, therfore only access to the internel network should be possible. What am I missing?

Here are sections of the config, the firewall is running PIX V7.0 software.

tunnel-group customer-Remote type ipsec-ra

tunnel-group customer-Remote general-attributes

address-pool remote-cust

authentication-server-group GG-VPN-Users LOCAL

authorization-server-group LOCAL

default-group-policy customer-Remote

group-policy customer-Remote internal

group-policy customer-Remote attributes

banner value Access to this device is strictly for customer employees only.

banner value This link is fully monitored and any unauthorized users will be prosecuted

banner value to the full extent of the law in the country in which the access was initiated.

dns-server value

split-tunnel-policy tunnelspecified

split-tunnel-network-list value customer-Remote_splitTunnelAcl

default-domain value

access-list customer-Remote_splitTunnelAcl; 1 elements

access-list customer-Remote_splitTunnelAcl line 1 standard permit any


Re: Split-tunnel Problem

be more specific with your acl - make it an extended acl, allowing communication only between your remote clients and local networks.

I'm a bit confused by what you want, do you want to allow split tunneling or not?

Re: Split-tunnel Problem

I have inherited this configuration, split-tunnelin is required, and is working with this configuration.

I just don't understand how it is working, from my understanding the split-tunnel ACL defines the traffic thet should go through the VPN. As it specifies "any" all traffic should go through, but it doesn't. If somone can explain why I would be greatfull.


Re: Split-tunnel Problem


You are correct in your assumption.

While you are connected to the vpn, please open your client and select Status -> Statistics -> Route Details. On the Secured Routes pane you should see

Is it possible you are using outside nat for the vpn clients? Something like this...

nat (outside) 1 outside

global (outside) 1 interface

Re: Split-tunnel Problem

The secured routes are as you suggest, and there are no local LAN routes.

There are nat rules

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

and the IP addresses in the pool are included in the ACL inside_nat0_outbound.

However I don't think the traffic is going through and then to the internet, if I run a tracert from my local PC to, it takes the same route with the client running as without. The first hop my local ADSL router in both cases.