cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1277
Views
10
Helpful
3
Replies
Highlighted
Beginner

excludespecified does not work

Hi everybody,

I've been working with a Remote Access VPN where everything should be tunneled via VPN but the traffic to an specific Public IP. I tried to use the "excludedspcified" statement in the group-policy but it does not work. When the Client VPN gets connected to the ASA and I check the Router Details -> Secured Routes I only can see 0.0.0.0/0. But when I use the "tunnelespecified" statament it works as it should and the Secure Routers are listed properly.

My configuration is:

access-list SPLIT-TUNNEL standard permit host 72.XX.XX.XX

!

group-policy TEST internal

group-policy TEST attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy excludespecified

split-tunnel-network-list value SPLIT-TUNNEL

!

tunnel-group TEST type remote-access

tunnel-group TEST general-attributes

address-pool admin-pool

authentication-server-group RADIUS

default-group-policy TEST

tunnel-group TEST ipsec-attributes

pre-shared-key *

I have search for a Bug or something but I could not find anything. These are the Software versions:

ASA: 8.2(1)11

ASDM: 6.2(1)

VPN Client: 5.0.07.0410

Thanks in advance,

Jose

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hello Jose,

In your VPN client, have you selected the "Allow Local LAN access" check box?

Can you please test it with that option enabled and let us know the results?

Don't just look at the secure routes, after enabling that option try to send real traffic to the public IP address.

Daniel Moreno

Please rate any post you find useful

View solution in original post

3 REPLIES 3
Highlighted
Beginner

Hello Jose,

In your VPN client, have you selected the "Allow Local LAN access" check box?

Can you please test it with that option enabled and let us know the results?

Don't just look at the secure routes, after enabling that option try to send real traffic to the public IP address.

Daniel Moreno

Please rate any post you find useful

View solution in original post

Highlighted

Hi,

Indeed as mentioned by Daniel, most likely you are missing the "Allow Local LAN access" option.

You can find it here:

On the other hand, you should see the 72.x.x.x, in the Local LAN routes:

Once you enable the check box it should work fine.

Thanks.

Portu.

Highlighted

If you are using the Cisco AnyConnect client rather than the older VPN Client, you must turn on this checkbox before split-tunneling exclusions will work:

1) Open Cisco ASDM

2) Click Remote Access VPN section

3) In left-hand pane choose Network (Client) Access > AnyConnect Client Profile

4) Edit the profile and place a checkmark in the box next to Local LAN Access

5) Click OK and then disconnect/reconnect to VPN and check the AnyConnect details window for 'Route Details'.  You should see your excluded networks in the 'Non-Secured Routes' section of the AnyConnect client.

Content for Community-Ad