Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Nat 0 and split tunneling

I need to determine the capabilities of the split tunneling mechanism to restrict a VPN group to a single internal IP address.

Assume the following config for this example:

internal ip

Ip local pool VPNCLT

Access-list VPN-NAT-0 permit ip

Nat (inside) 0 access-list VPN-NAT-0

vpngroup XXX address-pool VPNCLT

vpngroup XXX split-tunnel VPN-NAT-0

This config assigns the 192.168.100.x address to the remote clients and filters traffic for the tunnel using the NAT 0 access list. Yet the same access list filters the traffic at the other end of the tunnel, separating traffic for the internal network from all other traffic.

What then would be the form of the access list to confine traffic from the remote client to a single internal IP?

Possible solution based on general example above(assuming is internal host)

Access-list SPLTTUN

vpngroup XXX split-tunnel SPLTYTUN

Doesn't violate access list sense of source IP - destination IP?


Re: Nat 0 and split tunneling

depends on the software version, for 6.x

disable the commmand below

(no) sysopt connection permit-ipsec

sysopt connection permit-ipsec:

To let IPSec packets bypass interface access lists, use the sysopt connection permit-ipsec command in global configuration mode. Group policy and per-user authorization access lists still apply to the traffic.

with this command disabled, you will need to configure inbound acl in order to permit vpn traffic.


access-list 110 permit ip

access-list 120 permit ip

access-list 130 permit tcp host eq domain

access-list 130 permit tcp host eq domain

access-list 130 permit tcp host eq citrix-ica

access-list 130 permit tcp host eq www

ip local pool ippool2

nat (inside) 0 access-list 110

access-group 130 in interface outside

vpngroup vpnclient address-pool ippool2

vpngroup vpnclient dns-server

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password ********

don't forget other vpn traffic such as lan-lan vpn, it needs to be permitted by the inbound acl as well

for v7

a new command "vpn-filter" can be used instead

CreatePlease to create content