SSL VPN AnyConnect with Split Tunnelling

mcroft · ‎02-02-2009

Hi,

I am unable to get split tunnelling working with Cisco ASA Version 8.0(4) and AnyConnect 2.3. (WinXp, SP3)

The tunnel works fine, and the SSL-VPN is great,

but traffic I wish to 'not' go via the tunnel (i.e anything other than 192.168.x.x) is still going via the tunnel.

the config is very straight-forward ...

I have enabled split-tunnelling on both the group-policy and the default-group policy, but it still fails:

-------------------------------

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-filter value VPN-DEV-ONLY

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_ACL

group-policy Matt-SSLGrpPol internal

group-policy Matt-SSLGrpPol attributes

re-xauth disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_ACL

access-list SPLIT_ACL line 1 extended permit ip any 192.168.0.0 255.255.0.0

----------------------------------------

any help would be be appreciated.

I assume split tunnelling does work with AnnyConnect-SVC ?

Thanks

Matt

Ivan Martinon · ‎02-02-2009

split tunnel does work via anyconnect. If what you want is to prevent the 192.168.X.X net to be tunneled you need a different approach. In your case remember that the ACL you chose to use for split tunnel will be read in such a way that the source of that ACL is what will be pushed back to the client as the "Secure Routes" (what will be encrypted) In your case, you would need to use exclude specified:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1404962