Cisco Support Community
Community Member

Split Tunneling on ASA 5505 not working

I am currently trying to configure an Easy VPN connection from an ASA 5505 to and ASA 5520.  I have enabled split tunnelling and in the group policy defined the network to be tunneled but when I activate the VPN it tunnels everything from the host computer connected to the ASA 5505.  I get no internet access.  Have been trying to troubleshoot this for days.  Any ideas out there?

Hee are some specifics, running version 8.2(5) on the 5505 and the 5520 and below is the local config on the 5505 for the Easy VPN:

vpnclient server **.***.***.**

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup dbernstein-5505 password *****

vpnclient username dbernstein password *****

vpnclient ipsec-over-tcp port 10000

vpnclient enable

and the downloaded dynamic policy:

Current Server                                 : 12.***.163.**

Primary DNS                                  : ***.160.***.39

Default Domain                               :

PFS Enabled                                  : No

Secure Unit Authentication Enabled  : No

User Authentication Enabled            : No

Split Tunnel Networks                      : ***.160.***.0/

Backup Servers                               : None


Split Tunneling on ASA 5505 not working

You need to enable (Spilit-tunnel Tunnel-Specified).

and define the Spilit Tunnel Value (Spilit-Tunnel-Value ((ACL Name)

Then, you will have to create an ACL specifying the Traffic to Be tunneled . The Above should Only ALLOW the Sataements created by your ACL for Spilit Tunneling.

Look at the exact command in the Group-Policy.



Community Member

Re: Split Tunneling on ASA 5505 not working

I was under the impression that when using the Easy VPN client all you need to configure for spilt tunneling was on the server side and the client recieved the Tunnel list from that group policy?  I have another 5505 that is configured without a specified tunnel list on the client and it is working.  I have the st-autoconnect enabled, wouldn't that be enough to engage the split tunneling?

Split Tunneling on ASA 5505 not working

Hello Netadmin,

You are correct. With Easy VPN, server pushed the policy to client. Do you have proper nat & global commands on the client ASA? (as these are required).



Community Member

Split Tunneling on ASA 5505 not working

Her are my NAT and global commands, they are the same as my other ASA's, not sure what the heck is going on:

global (outside) 1 interface

nat (inside) 1

nat (work) 1

Split Tunneling on ASA 5505 not working


You need to configure the split tunnel policy on the server side so when you connect to the main office ASA ( VPN centralized end) all the traffic from your network being encrypted will be the one going to their subnet but your internet traffic will go normal to the outside world without being encrypted.

So the configuration on the SOHO device is okay, the problem is on the server side.


Do rate all the helpful posts


Julio Carvajal
Senior Network Security and Core Specialist
Community Member

Split Tunneling on ASA 5505 not working

I have configured the server side though, like my other ASA's and still it tunnels everything.  Let me see if I can post the config of the group policy I am using.

tunnel-group dbernstein-5505 type remote-access

tunnel-group dbernstein-5505 general-attributes

default-group-policy dbernstein_5505_GP

tunnel-group dbernstein-5505 ipsec-attributes

pre-shared-key *****

group-policy dbernstein_5505_GP internal

group-policy dbernstein_5505_GP attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value dbernstein-5505

nem enable

Let me know if anyone needs to see anything else in the config but I think this is the majority of it.

Community Member

Re: Split Tunneling on ASA 5505 not working

I have narrowed it down to a DNS issue.  I can get to internet sites via IP but not via name.  Have any of you seen this?  So it looks like split tunneling is working but DNS is all fouled up.  I disabled passing any DNS server info via the split tunnel GP and am using the DNS server provided by the ISP but still not working.

Community Member

Re: Split Tunneling on ASA 5505 not working

Ok, I fixed it.  There was a setting in the global_policy that was doing something to DNS.  I unchecked the DNS option and now all is working!!

Community Member

Split Tunneling on ASA 5505 not working

I have the same problem with an ASA 5505 Easy VPN client.  The hosts on the inside LAN can resolve DNS while the tunnel is disconnected.  As soon as the tunnel is established, the hosts can no longer resolve DNS.  What setting did you change to fix this?

Community Member

Ive had a problem with this

Ive had a problem with this this week, heres how to troubleshoot

CreatePlease to create content