Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Split tunnel with a difference

I need to configure a VPN3020 to tunnel everthing from RA clients except a specific internet subnet

So I need clients to access all networks except the a.b.c.d/24 network which I need them to access directly from their internet connection.

I have played with the split tunnel options but cannot get this to work.

The only way I can see is to set a tunnel list and list all possible networks except the a.b.c.d/24 network

there must be an easier way?

10 REPLIES

Re: Split tunnel with a difference

Why?

Are you using internal RFC1918 addresses on your inside network? Or internet routable internet addresses on your internal network?

New Member

Re: Split tunnel with a difference

We are now using a cloud based web filtering solution so clients at home need access to this directly from the laptop and also need vpn access to internal networks. I could tunnel only internal networks but that means clients could access everything on the internet. I only want to bypass the tunnel for a single internet routeable range.

Re: Split tunnel with a difference

OK - understood have you tried:-

1) Create the network list of the network you do not want to tunnel

2) Under the remote VPN profile goto "Client Config"

3) check "Tunnel Everything" and check "Allow networks IN list to BYPASS the tunnel"

??????

New Member

Re: Split tunnel with a difference

I did that but when I bring up statistics it says secured routes 0.0.0.0 0.0.0.0

No networks showing in Local Lan?

I am in the right place then.....

Re: Split tunnel with a difference

You have to configure the "exception" can you post a screenshot of your concentrtator config?

New Member

Re: Split tunnel with a difference

Which bit? The Client config?

Where do I configure the exception?

I have the networks I do not want to tunnel in the Split Tunneling Network List.

Split Tunneling policy set to Tunnel Everything & allow networks in list to bypass tunnel is ticked.

However when connecing secured routes are 0.0.0.0 not local lan routes?

Re: Split tunnel with a difference

OK

From the main login screen

Goto Configuration

Goto User Management

Goto Groups

Highlight the RVPN group then press Modify Group

Goto Client Config

Scroll down to the bottom of the page

You should see something like the attached.

New Member

Re: Split tunnel with a difference

Thanks for the info, I have already tried to configure that and it achieves the result partly.

I specify the internal networks which get tunneled and everything else can go direct out the clients broadband however I want to limit what goes out direct to only a specific subnet.

For some reason the split tunnel policiy is not working.

So the only way I can see of achieving this is to create an Inside network list which consists of every network from 1-197 then every network from 199 - 255

Leaving out the required 197.*.*.* network which I want to route directly

Just need to get clever with the wildcard masks!

Re: Split tunnel with a difference

I have attached the screenshot again.

What you need to try is:-

1) Create a network list with 197.0.0.0 255.0.0.0

2) Configure on the clientConfig

Enable - Tunnel Everything

Enable - Allow the networks in the list to bypass the tunnel

Choose your network list in the "Split tunnel network list" for the 197.0.0.0

Then ALL traffic should be encrypted - except the 197.x.x.x

New Member

Re: Split tunnel with a difference

that is what I originally tried and it didn't work. So I was racking my brains trying something else.

I will revisit it again.

thanks for all your advice

167
Views
0
Helpful
10
Replies