09-21-2012 12:49 PM
Hi everybody,
I've been working with a Remote Access VPN where everything should be tunneled via VPN but the traffic to an specific Public IP. I tried to use the "excludedspcified" statement in the group-policy but it does not work. When the Client VPN gets connected to the ASA and I check the Router Details -> Secured Routes I only can see 0.0.0.0/0. But when I use the "tunnelespecified" statament it works as it should and the Secure Routers are listed properly.
My configuration is:
access-list SPLIT-TUNNEL standard permit host 72.XX.XX.XX
!
group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value SPLIT-TUNNEL
!
tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
address-pool admin-pool
authentication-server-group RADIUS
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key *
I have search for a Bug or something but I could not find anything. These are the Software versions:
ASA: 8.2(1)11
ASDM: 6.2(1)
VPN Client: 5.0.07.0410
Thanks in advance,
Jose
Solved! Go to Solution.
09-21-2012 12:56 PM
Hello Jose,
In your VPN client, have you selected the "Allow Local LAN access" check box?
Can you please test it with that option enabled and let us know the results?
Don't just look at the secure routes, after enabling that option try to send real traffic to the public IP address.
Daniel Moreno
Please rate any post you find useful
09-21-2012 12:56 PM
Hello Jose,
In your VPN client, have you selected the "Allow Local LAN access" check box?
Can you please test it with that option enabled and let us know the results?
Don't just look at the secure routes, after enabling that option try to send real traffic to the public IP address.
Daniel Moreno
Please rate any post you find useful
09-21-2012 01:35 PM
Hi,
Indeed as mentioned by Daniel, most likely you are missing the "Allow Local LAN access" option.
You can find it here:
On the other hand, you should see the 72.x.x.x, in the Local LAN routes:
Once you enable the check box it should work fine.
Thanks.
Portu.
10-17-2013 11:02 AM
If you are using the Cisco AnyConnect client rather than the older VPN Client, you must turn on this checkbox before split-tunneling exclusions will work:
1) Open Cisco ASDM
2) Click Remote Access VPN section
3) In left-hand pane choose Network (Client) Access > AnyConnect Client Profile
4) Edit the profile and place a checkmark in the box next to Local LAN Access
5) Click OK and then disconnect/reconnect to VPN and check the AnyConnect details window for 'Route Details'. You should see your excluded networks in the 'Non-Secured Routes' section of the AnyConnect client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide