Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Split Tunnel - Permit via VPN, split-tunnel specific Internet host

Hello Everyone;

OK, here's the situation:

Remote user with 3002 VPN client appliance or 3.5 client depending upon site, 3005 VPN Concentrator at head end. Routing to Internet out of the 3005 via PIX.

I have customer with an Altiga box (3005 concentrator). I an in a situation whereby the customer's security policy requires ALL (and I mean ALL) Internet traffic to route through a VPN to the 3005 and then out the PIX firewall.

The VPN users are currently able to use the Internet through the VPN. But now, we need them to be able to access specific hosts on the Internet for streaming video-conferences that are not in the VPN.

We believe that we should be able to create SA policies whereby a deny specific hosts from being routed through the VPN on a split-tunnel but route all other Internet traffic through the VPN.

I know this sounds a bit bandwith gluttonous but this is what the customer wants. I cannot find any place in the 3005 configurations pages that would allow me to set up a 'denied' or 'bypass the VPN' for a single host.

I will be setting up a LAB to test with a PIX since we have great control over things with access-list(s). Has anyone ever attempted such a "unique" configuration?

Jabs and Jibes are OK but real suggestions are appreciated.

Chris Johnnston <>

New Member

Re: Split Tunnel - Permit via VPN, split-tunnel specific

1. Create a Network List (Configuration - Policy Management - Traffic Management - Network Lists) with all the Addresses, traffic to which has to bypass tunneling.

2. For the Group Configured for VPN3002, Select Tunnel Everything and check "Allow the networks in the list to bypass tunneling" and select the previuosly configured network list. This option can be found in the Mode Config tab.

CreatePlease to create content