Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6714
Views
0
Helpful
3
Replies

Split Tunneling Not Working

Go to solution
Joshua Smick
Level 1
Level 1

‎02-29-2016 07:12 PM

I'm working on a home lab setup with my 5506-X, and I've been having an issue configuring split tunneling.  Every change I seem to make either gives me internet access, gives me access to the LAN, or takes away both.  The current configuration I have has taken away both, and I'm a bit stumped.  I've attached the configuration.  Any guidance would be greatly appreciated!  

Labels:
Preview file
9 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-29-2016 07:19 PM

Change:

split-tunnel-policy excludespecified

to:

split-tunnel-policy tunnelspecified

I note you are using 192.168.0.0/24.  Make sure you are not VPN'ing from a 192.168.0.0/24 address as well (or an subnet that is also the same as your subnet you are trying to access remotely) or it will not work.

On the whole, you should avoid using 192.168.0.0/24 and 10.0.0.0/24 in production networks because they are so frequently used in home networks.

I also note you have IKEv2 configured.  IKEv2 does not support split tunnelling.  SO make sure you are only using the AnyConnect client in SSL mode.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-29-2016 07:19 PM

Change:

split-tunnel-policy excludespecified

to:

split-tunnel-policy tunnelspecified

I note you are using 192.168.0.0/24.  Make sure you are not VPN'ing from a 192.168.0.0/24 address as well (or an subnet that is also the same as your subnet you are trying to access remotely) or it will not work.

On the whole, you should avoid using 192.168.0.0/24 and 10.0.0.0/24 in production networks because they are so frequently used in home networks.

I also note you have IKEv2 configured.  IKEv2 does not support split tunnelling.  SO make sure you are only using the AnyConnect client in SSL mode.

0 Helpful

Go to solution
Joshua Smick
Level 1
Level 1
In response to Philip D'Ath

‎02-29-2016 08:26 PM

That did the trick.  I had to solve an issue with DNS traffic not making it across the tunnel after that, but it's fine now.  I've been meaning to change the IP address scheme, but then I would have to go in and change all the VLANs, IP addresses on the virtual machines, DNS names, etc.  

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Joshua Smick

‎02-29-2016 08:48 PM

Hi Joshua,

You might want to tweak split-dns parameter under group-policy.

split-dns

To enter a list of domains to be resolved through the split tunnel, use the split-dns command in group-policy configuration mode. To delete a list, use the no form of this command.

To delete all split tunneling domain lists, use the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns none command.

When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, use the split-dns none command.

split-dns { value domain-name1 domain-name2 domain-nameN | none }

no split-dns [ domain-name domain-name2 domain-nameN ]

Ref:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1560462


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents