Showing results for 
Search instead for 
Did you mean: 


VPN - restricted split tunnel?

I would have thought this was a common request, however cannot seem to find any particular examples.

Currently we have an older ASA 5520, with code level 8.0.3.   What we would like to have is Anyconnect VPN users to have access to certain 'external' networks, such as their local lan or certain IP addresses, while connected to our network.

So far, the only thing we are able to do is to:

* Tunnel all traffic - no split tunnel.  When client connects, they can only access our internal network

* Tunnel traffic by a list of networks - split tunnel.  When client connects, they can only access the listed IPs of our internal network, but any other external traffic

* Deny Tunnel traffic by a list of networks - split tunnel.  When client connnects, they can access all internal network except the listed IPs, but any other external traffic

I guess the definition of what we want to do is:

* Tunnel all traffic except the list of external IP - restricted split tunnel.  When Client connects they can access all of our internal network (or listed IPs) but also certain external networks/IPs (their local area network, or a list of IPs/networks defined).

Any ideas?  Thanks in advance...

Everyone's tags (2)

VPN - restricted split tunnel?

When using the 2nd option, you can specify a list of networks to encrypt data to. Data to all other networks will remain unencrypted - these could be your local LANs, external networks, etc.

An example to encrypt data to but don't encrypt anything else, where is our corporate nework behind the firewall:

access-list lan_split standard permit

group-policy GP-SPLIT internal

group-policy GP-SPLIT attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value lan_split


VPN - restricted split tunnel?

Hairpinning is the ability to reroute traffic backout the same interface in which it received that traffic.

ASAs can do this.

Normally a VPN client scenario, you will just send the desired traffic through the tunnel (split-tunneling).

You can also send all traffic through the tunnel and provide Internet access through the same ASA.

To accomplish this, the ASA should u-turn the traffic backout to the Internet.

You need something like this:

nat (outside) 1 10.x.x.x   --> assuming 10.x.x.x is the pool of addresses assigned for VPN clients

global (outside) 1 interface --> you might already have this for regular Internet traffic (PAT)

same-security permit intra-interface  --> to allow u-turn

Besides that, split-tunneling should be disabled on the ASA.

This link might help: