So, I am on the 100.100.60.0/24 network and I VPN into my development network. 192.168.0.0/24.  I only want to encrypt traffic going to the 192.168.0.0/24 network, I want to EXCLUDE traffic going from the 10.100.60.0/24 network.  Whenever i configure my group policy to exclude traffic going to PKILAB, and define PKILAB as 100.100.60.0/24 it still tries to send traffic desitned for the PKILAB over the VPN, when it should be excluding it.  But I know the group policy settings are getting applied because other items such as the DNS get sent to anyconnect client settings.

Hello Daniel,

Just to make sure we are on the same page

192.168.0.0/24---ASA---INTERNET-------Anyconnect client at 100.100.60.0.24

Is that correct? if yes and you only want to encrypt the traffic going to the 192. from your client here is what you need

access-list test standard permit 192.168.0.0 255.255.255.0

group-policy whatever attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test

Turn down the tunnel and give it a try

Regards,

Client IP: 10.100.60.47/24

Local lab segments:

10.100.60.0/24

192.168.50.0/24

asa.securesub.net:8080 Anyconnect Gateway to my remote Lab

Once I am connected to my remote lab I am given A client IP address of 192.168.0.193/24

My remote lab has 2 different subnets:

192.168.0.0/24

192.168.101.0/24

When I connect to the ASA, I am haveing "0.0.0.0 secured"  This prevents me from being able to access the to Local subnets.  I should be able to say "Split tunnel, and Exclude 10.100.60./ and 192.168.50.0 from being sent through the tunnel".  See picture.

http://i.imgur.com/ZJoS1.png

Hello Daniel,

The image does not work!

Why don't you try with my configuration, please

access-list test standard permit 192.168.0.0 255.255.255.0

access-list test standard permit 192.168.101.0 255.255.255.0

group-policy whatever attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test

When I use the config you mentioned where i only define which traffic i want to secure it allows me to access my secured resources and my local resources, but it doesn't tunnel my UNKNOWN(internet browsing) through the tunnel which is one of my goals.  Thats why i was trying to go the exclude route. 

I have tried to add 0.0.0.0/24 to the permited list of traffic to be secured, but that doesnt seem to work.

Hello Daniel,

Okay I now understand what you mean....

Why don't you try with my configuration, please

access-list 2test standard permit 10.100.60.0 255.255.255.0

access-list 2test standard permit 192.168.50.0 255.255.255.0

group-policy whatever attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value 2test

Turn the tunnel down and re-connect

If this by any chance does not work please paste your group policy and tunnel group setup ( you can change the outside Ip addresses of coure)

Regards,

Remember to rate the helpful posts

Julio

group-policy Vandyke internal

group-policy Vandyke attributes

wins-server none

dns-server value 192.168.0.25 4.2.2.2

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VANDYKE_EXCLUDES

default-domain value securesub.net

split-dns value 192.168.0.25

asa(config)# sh run | i VANDYKE

access-list VANDYKE_EXCLUDES remark SECURESUB_WIFI

access-list VANDYKE_EXCLUDES standard permit 192.168.101.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark SECURESUB_LAN

access-list VANDYKE_EXCLUDES standard permit 192.168.0.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark BOOZE-PKI LAB

access-list VANDYKE_EXCLUDES standard deny 10.100.60.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark INTERNET TRAFFIC

access-list VANDYKE_EXCLUDES standard permit any

Hello Daniel,

Right now the configuration is not the one I sent you.

Check this :

split-tunnel-policy tunnelspecified

Can you changed the setup to this:

access-list 2test standard permit 10.100.60.0 255.255.255.0

access-list 2test standard permit 192.168.50.0 255.255.255.0

group-policy whatever attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value 2test

Regards,

Julio

I think were mis communicating.  I made the changes you asked me to try(see below) and now I can no longer access Booze-pki lab, or Vandyke_wifi resources.  Also I am now unable to access any of my VPN resources from securesub.  In addition, my internet traffic is not being sent through the VPN.

asa(config)# sh run | i split-tunnel-policy tunnelspecified

split-tunnel-policy tunnelspecified

asa(config)# sh run | i VANDYKE

access-list VANDYKE_EXCLUDES remark BOOZE-PKI LAB

access-list VANDYKE_EXCLUDES standard permit 10.100.60.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark VANDYKE_WIFI

access-list VANDYKE_EXCLUDES standard permit 192.168.50.0 255.255.255.0

split-tunnel-network-list value VANDYKE_EXCLUDES

A quick summary of my setup:

I am on a LAN segment 10.100.60.0/24 and need to be able to access recources on the segment as well as the 192.168.50.0 segment.  I can do this without using a VPN.  I also want to be able to access my VPN resources(securesub Lan and securesub WIFI).  I Also want all Internet traffic while connected to the VPN to get routed through securesub.

So I should be Securing "Securesub_LAN, Securesub_WIFI, and Internet) and not securing 10.100.60.0 or 192.168.50.0 if i understand correctly

Hello Daniel,

Interesting, never had this issue before,

Okay time to use the following:

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list Local_LAN_Access remark VPN-Local-LAN-Access

group-policy Vandyke attributes

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

Now starting from AnyConnect 2.3 version, Local LAN Access is disabled by default so you need to enable it from the Anyconnect client  preference settings.

Let me know how it goes,

Rate all the helpful posts

Julio

access-list VANDYKE_EXCLUDES remark Securesub_LAN

access-list VANDYKE_EXCLUDES standard permit 192.168.0.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark Securesub_WIFI

access-list VANDYKE_EXCLUDES standard permit 192.168.101.0 255.255.255.0

access-list VANDYKE_EXCLUDES remark INTERNET

access-list VANDYKE_EXCLUDES standard permit host 0.0.0.0

split-tunnel-network-list value VANDYKE_EXCLUDES

IMy internet traffic is not being tunneled. The rest works well.

Thanks