A little clarity on your question please? It seems as though you are describing split tunneling as have both Internet and LAN traffic going through the concentrator. Thi is the exact opposite of split tunneling. That is "Tunnel Everything" mode. If you check on the concentrator under Configuration, User Management, Groups then slect the group you want to allow split tunneling for, click Modify Group and go under the mode config tab you shold see where you can set up your split tunnel policy. The navigation may be a litlle different depending on what version software you are running on the concentrator. FYI, Cisco recommends that you not allow split tunneling if you want the highest level of secutiy. I noticied you said that once connected your VPN clients can't get back out to the Internet. Do you have a tunnel default gateway set on your Concentrator? It should be the same as the default gateway for you LAN. Perhaps you can try this first and if your users can still get to the Internet when connected to the VPN you can let that be your setup since this is more secure .