Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Split Tunneling Unsuccessful

I am working on creating a split tunnel to work with a test vpn group profile. We have an external proxy service that slows users down when they are VPN'd in because their web traffic then goes through us. My goal is to configure only private IP's to come through the tunnel, any requests to public IP's should go straight out the users internet connection and not VPN.

I have created an ACL on the firewall that includes all of the standard private 192, 172, and 10 scope ips and I set the vpn group profile to only tunnel based on those IP addresses.

However when I perform this testing with the Cisco AnyConnect SSL VPN client and I look at the routing tab, it still shows 0.0.0.0 0.0.0.0 to go through the VPN tunnel and isn't splitting the traffic. I have not tested this on the orginal Cisco VPN client yet.

The configuration guides that I have looked seems to show I am setting it up correctly but am I missing anything?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: VPN Split Tunneling Unsuccessful

Try swapping the source and destination in that ACL, then reconnect via client VPN and see if that makes a difference. You might also try specifying the local pool network used for the client VPN instead of 'any'.

6 REPLIES
Bronze

Re: VPN Split Tunneling Unsuccessful

Is there any chance you can post your ACLs, tunnel groups and group policies here?

Thanks,

James

New Member

Re: VPN Split Tunneling Unsuccessful

Sure, here is my test group configuration:

object-group network DM_INLINE_NETWORK_1

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

group-policy TESTVPN internal

group-policy TESTVPN attributes

wins-server value 172.16.9.221 172.16.9.222

dns-server value 172.16.9.221 172.16.9.222

vpn-idle-timeout 600

vpn-session-timeout 600

vpn-tunnel-protocol IPSec svc webvpn

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TESTVPN

secure-unit-authentication disable

user-authentication disable

nem enable

tunnel-group TESTVPN type remote-access

tunnel-group TESTVPN general-attributes

address-pool VPN_Pool

authentication-server-group VPN_Users

default-group-policy TESTVPN

dhcp-server 10.0.0.1

tunnel-group TESTVPN webvpn-attributes

group-alias TestVPN enable

tunnel-group TESTVPN ipsec-attributes

pre-shared-key *

Bronze

Re: VPN Split Tunneling Unsuccessful

Do you have an access list named 'TESTVPN', and does it only include the networks you want traversing through the tunnel?

- James

New Member

Re: VPN Split Tunneling Unsuccessful

Ops, I apologize that I missed that part, the ACL created looks like:

access-list TESTVPN extended permit ip any object-group DM_INLINE_NETWORK_1

Which points to this:

object-group network DM_INLINE_NETWORK_1        
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0

I did this via ADSM

Bronze

Re: VPN Split Tunneling Unsuccessful

Try swapping the source and destination in that ACL, then reconnect via client VPN and see if that makes a difference. You might also try specifying the local pool network used for the client VPN instead of 'any'.

New Member

Re: VPN Split Tunneling Unsuccessful

Great tips, I will try those suggestions later this afternoon.

Thanks!

1562
Views
5
Helpful
6
Replies