Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

RA VPN on ASA and Split Tunneling

Hello Forum,

I'm having an issue with RA VPN and split tunneling. Our company doesn't allow split tunneling.

I have the following....

ASA 5520 - ASA Version - 8.0(3)

Group Policies defined for different groups. My test group, I thought I disabled split tunneling but they are still able to surf the net.

For Split Tunneling Policy...

Inherit is unchecked

I have "Tunnel Network List Below"

Testing_splitTunnelAcl is my acl. I have a bunch of host IPs in the list. I don't have any or in the list.

But they can still surf the net.

I would like to block access to net. No hairpinning or internet u-turns.

How do I do this?

Any help greatly appreciated.



Re: RA VPN on ASA and Split Tunneling

What does your Testing_spliTunnelAcl have?

To disable split tunneling, your Testing_spliTunnelAcl should only have this...


access-list Testing_splitTunnelAcl standard permit any


...which means all traffic will be encrypted and will be sent to ASA no matter what. If you add any IP Address, only those traffic destined to the IP Address in the list will be encrypted and send to ASA, everything else will go to internet from the client.

It may be confusing but try and see what happens.

New Member

Re: RA VPN on ASA and Split Tunneling

My split tunnel ACL has only IP addresses that I want to allow. I don't want to allow them access to the internet via split tunnel or tunneled.

CreatePlease to create content