Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17484
Views
0
Helpful
2
Replies

Disable split tunneling on VPN

jandersoncronin
Level 1
Level 1

‎04-03-2012 09:06 AM

Hi all,

I need to create a VPN and have split tunneling disabled, so that all traffic including internet traffic goes over the vpn back to the headquators and out that internet pipe or to the network. I will be using the Cisco VPN client software and connecting to a 2811 router running IOS ver 12.3(8r)T7. I am pretty new when it comes to these configurations so any help will be greatly helpful. Ive tryed looking for articles on how to do this and have come up pretty short. Thanks for the help!!

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-03-2012 11:36 AM

Hello Jeremy,

You should not worry that much for this as by default with a VPN client all traffic is going to be tunnel ( tunnel all) .

If you need to configure split tunnel policies there is where you need to make changes to the group-policies.

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

julia.joseph1
Level 1
Level 1
In response to Julio Carvajal

‎08-09-2013 08:49 AM

Hi,

In regards to split tunnel, I am also having a dilema on how to configure the policy, so the local LAN access is permitted, while all other traffic, corporate and Internet, still goes through the tunnel.

Reading about it, I found this:

"In a remote access VPN deployment, split tunneling gives the user direct  access to a public network and VPN access to a private network  simultaneously. The end user's computer becomes an extended Internet  entry point to the corporate network. If no proper security measures are  in place on the end user's computer, attackers have opportunities to  compromise the computer from the Internet and gain access to the  internal network through the VPN tunnel. For this reason, many  organizations choose to disable split tunneling in their remote access  VPN deployment.

When split tunneling is disabled, one common issue is that users can no  longer access the local LAN for tasks such as printing. The solution is  to disable split tunneling but enable local LAN access. This way, the  local LAN traffic will not be tunneled to the head-end SSL VPN gateway."

As different users have difefrent local subnets and we don't know them, I configured the policy like this:

Where the SPLIT network list is 0.0.0.0

would this also send the Internet traffic through the local LAN gateway or tunneled (preferred).

A whireshark capture on the Cisco Anyconnect interface while sending ICMP traffic to a host on the Internet, shows so, but still not sure.

Thanks

0 Helpful
Customers Also Viewed These Support Documents