https://community.cisco.com/t5/network-security/ssl-vpn-anyconnect-with-split-tunnelling/m-p/1222985#M876972 <P>Hi,</P><P></P><P>I am unable to get split tunnelling working with Cisco ASA Version 8.0(4) and AnyConnect 2.3. (WinXp, SP3)</P><P></P><P>The tunnel works fine, and the SSL-VPN is great, </P><P>but traffic I wish to 'not' go via the tunnel (i.e anything other than 192.168.x.x) is still going via the tunnel.</P><P></P><P>the config is very straight-forward ...</P><P>I have enabled split-tunnelling on both the group-policy and the default-group policy, but it still fails:</P><P></P><P>-------------------------------</P><P> tunnel-group-list enable</P><P>group-policy DfltGrpPolicy attributes</P><P> vpn-filter value VPN-DEV-ONLY</P><P> vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SPLIT_ACL</P><P></P><P>group-policy Matt-SSLGrpPol internal</P><P>group-policy Matt-SSLGrpPol attributes</P><P> re-xauth disable</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SPLIT_ACL</P><P></P><P>access-list SPLIT_ACL line 1 extended permit ip any 192.168.0.0 255.255.0.0</P><P>----------------------------------------</P><P></P><P>any help would be be appreciated.</P><P></P><P>I assume split tunnelling does work with AnnyConnect-SVC ?</P><P></P><P>Thanks</P><P>Matt</P> Mon, 11 Mar 2019 14:44:41 GMT mcroft 2019-03-11T14:44:41Z https://community.cisco.com/t5/network-security/ssl-vpn-anyconnect-with-split-tunnelling/m-p/1222985#M876972 <P>Hi,</P><P></P><P>I am unable to get split tunnelling working with Cisco ASA Version 8.0(4) and AnyConnect 2.3. (WinXp, SP3)</P><P></P><P>The tunnel works fine, and the SSL-VPN is great, </P><P>but traffic I wish to 'not' go via the tunnel (i.e anything other than 192.168.x.x) is still going via the tunnel.</P><P></P><P>the config is very straight-forward ...</P><P>I have enabled split-tunnelling on both the group-policy and the default-group policy, but it still fails:</P><P></P><P>-------------------------------</P><P> tunnel-group-list enable</P><P>group-policy DfltGrpPolicy attributes</P><P> vpn-filter value VPN-DEV-ONLY</P><P> vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SPLIT_ACL</P><P></P><P>group-policy Matt-SSLGrpPol internal</P><P>group-policy Matt-SSLGrpPol attributes</P><P> re-xauth disable</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value SPLIT_ACL</P><P></P><P>access-list SPLIT_ACL line 1 extended permit ip any 192.168.0.0 255.255.0.0</P><P>----------------------------------------</P><P></P><P>any help would be be appreciated.</P><P></P><P>I assume split tunnelling does work with AnnyConnect-SVC ?</P><P></P><P>Thanks</P><P>Matt</P> Mon, 11 Mar 2019 14:44:41 GMT https://community.cisco.com/t5/network-security/ssl-vpn-anyconnect-with-split-tunnelling/m-p/1222985#M876972 mcroft 2019-03-11T14:44:41Z https://community.cisco.com/t5/network-security/ssl-vpn-anyconnect-with-split-tunnelling/m-p/1222986#M876975 <HTML><HEAD></HEAD><BODY><P>split tunnel does work via anyconnect. If what you want is to prevent the 192.168.X.X net to be tunneled you need a different approach. In your case remember that the ACL you chose to use for split tunnel will be read in such a way that the source of that ACL is what will be pushed back to the client as the "Secure Routes" (what will be encrypted) In your case, you would need to use exclude specified:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1404962" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1404962</A></P><P></P><P></P></BODY></HTML> Tue, 03 Feb 2009 01:47:52 GMT https://community.cisco.com/t5/network-security/ssl-vpn-anyconnect-with-split-tunnelling/m-p/1222986#M876975 Ivan Martinon 2009-02-03T01:47:52Z