Cisco Support Community
Community Member

vpn and split tunnel

We have a group of VPN users that is connecting to the vpn using at least Cisco VPN or newer. Once connected to the VPN they do not have access to the internet and we would like to keep it this way for security reason. This group of vpn users now  have additional needs. This vpn group needs to stay connected to the vpn and not loose connectivity to a particular range of network internally (a peer to peer non routable address)  Thru research it appears that we can specify the allowed network on the split tunnel. Our goal is to allow this group of users connectivity to the range of IP's when connecting the the VPN and to exclude the internet at large.

Does anyone have pointers for me or would know of any issues I would run into? Should I be worried about split DNS?



Re: vpn and split tunnel


You can create a group-policy where you define if you want to tunnel all traffic (no split tunneling), tunnel just specified networks (split tunneling), or just exclude a list of networks.

Under the group-policy, you specify the split-tunnel-policy and then the split-tunnel-list/

ASA(config-group-policy)# split-tunnel-policy ?

group-policy mode commands/options:
  excludespecified  Exclude only networks specified by
  tunnelall         Tunnel everything
  tunnelspecified   Tunnel only networks specified by split-tunnel-network-list

ASA(config-group-policy)# split-tunnel-network-list ?

group-policy mode commands/options:
  none   Specify that no access-list will be used for split tunnel
  value  Specify a standard or extended type access-list for split tunnel

Split-DNS is in case you want to include a list of domains to be resolved through the split tunnel.


Community Member

Re: vpn and split tunnel

Basically this involves installing routes on the clients.  You'll have to configure a split-tunnel-network-list longhand to define all networks except their internal network.  You cannot IIRC use deny statements in that access list.

The way it works I've described here, and it will only work for certain clients:

Also, I recently discovered that using "no sysopt connection permit-vpn" breaks this, and so far I cannot figure out if there is a solution by adding ACEs to interfaces/crypto-maps/etc (the obvious one does not work.)

CreatePlease to create content