Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Split tunneling breaks IOS VPN - 3.5 client


I have the configuration below working on a 1720. It works fine if I don't try to enable split tunneling. It i add the ACL 108 to the isakmp group then they can only get to the internet, they are unable to get to the private network. Anybody see any obvious mistakes?

Also, why can't the uses get to the internet without split tunneling? I don't care if they had to go through the tunnel, actually I might prefer it. Why can't the route route and nat the packets from the vpn clients?



version 12.2

no parser cache

service password-encryption


hostname access-1


logging buffered 4096 debugging

aaa new-model



aaa authentication login default group radius enable

aaa authentication login userauthen group radius enable

aaa authorization network groupauthor local

aaa session-id common

enable secret 5 xxxxxxxxxxxxxxxxxx


ip subnet-zero



ip domain-name

ip name-server


crypto isakmp policy 3

encr 3des

authentication pre-share

group 2


crypto isakmp client configuration group Remote-Users

key cisco123




pool VPN-IP



crypto ipsec transform-set myset esp-3des esp-sha-hmac


crypto dynamic-map dynmap 10

set transform-set myset



crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap





interface Ethernet0

ip address

ip access-group ACL-in in

ip nat outside


no cdp enable

crypto map clientmap


interface FastEthernet0

ip address

ip nat inside

speed auto


ip local pool VPN-IP

ip nat pool NAT-POOL prefix-length 28

ip nat inside source list 1 pool NAT-POOL overload

ip nat inside source static

ip classless

ip route

no ip http server

ip pim bidir-enable



ip access-list extended ACL-in

deny ip host any

deny ip any

deny ip any

deny ip any

deny ip any

permit tcp any any established

permit tcp any host eq smtp

permit tcp any host eq www

permit udp host any eq ntp

permit udp host any eq ntp

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any port-unreachable

permit icmp any any net-unreachable

permit icmp any any host-unreachable

permit icmp any any administratively-prohibited

permit icmp any any packet-too-big

permit ip any

permit udp any gt 1023 host eq domain

permit udp any eq isakmp host eq isakmp

permit esp any host

permit tcp any any eq 22

deny ip any any log


access-list 1 permit

access-list 108 permit ip any


radius-server host auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key 7 xxxxxxxxxxxxxxxxxxxxx





Re: Split tunneling breaks IOS VPN - 3.5 client

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center ( or speak with a TAC engineer. You can open a TAC case online at

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

CreatePlease to create content