Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1699
Views
10
Helpful
3
Replies

excludespecified does not work

Go to solution
jose cortes
Level 1
Level 1

‎09-21-2012 12:49 PM

Hi everybody,

I've been working with a Remote Access VPN where everything should be tunneled via VPN but the traffic to an specific Public IP. I tried to use the "excludedspcified" statement in the group-policy but it does not work. When the Client VPN gets connected to the ASA and I check the Router Details -> Secured Routes I only can see 0.0.0.0/0. But when I use the "tunnelespecified" statament it works as it should and the Secure Routers are listed properly.

My configuration is:

access-list SPLIT-TUNNEL standard permit host 72.XX.XX.XX

!

group-policy TEST internal

group-policy TEST attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy excludespecified

split-tunnel-network-list value SPLIT-TUNNEL

!

tunnel-group TEST type remote-access

tunnel-group TEST general-attributes

address-pool admin-pool

authentication-server-group RADIUS

default-group-policy TEST

tunnel-group TEST ipsec-attributes

pre-shared-key *

I have search for a Bug or something but I could not find anything. These are the Software versions:

ASA: 8.2(1)11

ASDM: 6.2(1)

VPN Client: 5.0.07.0410

Thanks in advance,

Jose

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
danmoren
Level 1
Level 1

‎09-21-2012 12:56 PM

Hello Jose,

In your VPN client, have you selected the "Allow Local LAN access" check box?

Can you please test it with that option enabled and let us know the results?

Don't just look at the secure routes, after enabling that option try to send real traffic to the public IP address.

Daniel Moreno

Please rate any post you find useful

View solution in original post

3 Replies 3

Go to solution
danmoren
Level 1
Level 1

‎09-21-2012 12:56 PM

Hello Jose,

In your VPN client, have you selected the "Allow Local LAN access" check box?

Can you please test it with that option enabled and let us know the results?

Don't just look at the secure routes, after enabling that option try to send real traffic to the public IP address.

Daniel Moreno

Please rate any post you find useful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to danmoren

‎09-21-2012 01:35 PM

Hi,

Indeed as mentioned by Daniel, most likely you are missing the "Allow Local LAN access" option.

You can find it here:

On the other hand, you should see the 72.x.x.x, in the Local LAN routes:

Once you enable the check box it should work fine.

Thanks.

Portu.

0 Helpful

Go to solution
Lucas Phelps
Level 5
Level 5
In response to Javier Portuguez

‎10-17-2013 11:02 AM

If you are using the Cisco AnyConnect client rather than the older VPN Client, you must turn on this checkbox before split-tunneling exclusions will work:

1) Open Cisco ASDM

2) Click Remote Access VPN section

3) In left-hand pane choose Network (Client) Access > AnyConnect Client Profile

4) Edit the profile and place a checkmark in the box next to Local LAN Access

5) Click OK and then disconnect/reconnect to VPN and check the AnyConnect details window for 'Route Details'.  You should see your excluded networks in the 'Non-Secured Routes' section of the AnyConnect client.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents