Showing results for 
Search instead for 
Did you mean: 

Remote VPN Working, but Split Tunnel external traffic blocked?

Ben Sebborn
Level 1
Level 1



Cisco ASA 5505

We have Remote VPN working and we can access our office network from a remote VPN client, and the other way around also.

We would now like to extend this config, so that when accessing a set of IPs on the internet (our website), any remote VPN clients must route their traffic over the VPN (so the website sees our office IP, not the remote client's internet IP)



VPN Pool:

External IP of website is within the group 'rackspace-public-ips'

We can successfully ping from <>

We can successfully access public internet addresses. However when we enable a split tunnel, we cannot access the 'rackspace-public-ips'

address any more.


access-list vpn_splitTunnelAcl_1 standard permit

access-list vpn_splitTunnelAcl_1 standard permit x.x.x.x

access-list vpn_splitTunnelAcl_1 standard permit x.x.x.x

(where x.x.x.x are the individual IPs defined within the rackspace-public-ips group)

access-list officenetwork_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1

object-group network officenetwork-network

object-group network DM_INLINE_NETWORK_1


group-object rackspace-public-ips

global (publicinternet) 1 interface

nat (officenetwork) 0 access-list officenetwork_nat0_outbound

nat (officenetwork) 1

route publicinternet 1

group-policy vpn attributes

dns-server value

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_splitTunnelAcl_1

default-domain value office.internal

split-dns value office.internal

What am I missing guys?

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni


Would really need more information.

From what I gather you have a /30 mask subnet and /29 mask subnet of public IP addresses? Are these located behind the ASA? I mean behind the "officenetwork" interface?

If these are actually public IP addresses on the "publicinternet" interface (or routed towards that interface since you have 2 subnets) used in Static NAT configurations for the servers then you are most likely running into problem with the NAT configurations.

This would be because you are doing NAT0 for the internal IP addresses while you are actually trying to reach the public IP address.

If both of these public subnets are used as NAT IP address on the edge of the firewall and not behind it in the internal network (directly on the servers) then I was thinking that trying "deny" statements on the NAT0 configuration might do the trick. (If it was supported, I do remember that it should be supported but I am not 100% sure)

access-list officenetwork_nat0_outbound line 1 remark Avoid NAT0 for Server to VPN Client

access-list officenetwork_nat0_outbound line 2 deny ip host

access-list officenetwork_nat0_outbound line 3 deny ip host

and so on.

So if anything of the above makes sense depends if the public IP addresses are located behind the ASA on the internal network or if they are actually the public NAT IP address of hosts on the network

- Jouni


I managed to fix this, by adding the following:

nat (publicinternet) 1

Many thanks


That would seem to point to a situation where these servers are actually outside your network?

You are just tunneling the traffic towards some public servers through the VPN and out the ASA?

But again I have no idea what the actual setup is.

Main thing is though that its working

- Jouni