Tuesday, March 19, 2013

How to Configure Split-Tunneling on a Cisco ASA VPN

Split tunneling is used when you want to allow remote VPN users to connect directly to Internet resources while using a corporate VPN instead of routing that traffic through the VPN. Obviously, traffic to the internal corporate LAN still goes through the encrypted VPN tunnel, but other traffic goes directly through the public Internet. There are valid reasons for choosing either to use a split tunnel or not, mainly related to security.

Examples of Split Tunneling



Companion Video

I've created the following video to show you how to configure a split tunnel on a Cisco ASA security appliance.


Here are the commands: 

Start by creating an access control list to permit a traffic-flow from the internal network:

access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0

Next, enter attributes configuration mode for the desired VPN group policy (in this example, the group-policy name is Account Reps NA):

group-policy "GroupPolicy_Account Reps NA" attributes

Now, specify the split tunnel mode. You can choose from the following three options:

  • excludespecified (exclude only networks specified by split-tunnel-network-list)
  • tunnelall (tunnel everything)
  • tunnelspecified (tunnel only networks specified by split-tunnel-network-list)

split-tunnel-policy tunnelspecified     
split-tunnel-network-list value Split_Tunnel_List

Watch the video for a complete demonstration of each of the commands.

For More Cisco ASA Configuration Information

Pick up a copy of my configuration guide The Accidental Administrator: Cisco ASA Security Appliance, available through Amazon and other resellers.

Please Leave a Comment

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

5 comments:

Limro said...

What should I do if I wanted the 'wihtOUT' setup?

Unknown said...

Very nice. Thanks.

Unknown said...

Nancy, you're welcome. I'm glad it was helpful.

naitik said...

very nice..thank you..

Can you please explain:
ciscoasa(config)#access-list Local_LAN_Access remark Client Local LAN Access
ciscoasa(config)#access-list Local_LAN_Access standard permit host 0.0.0.0

#split-tunnel-policy excludespecified
#split-tunnel-network-list value Local_LAN_Access

I have query regarding default route and all traffic, as of now when i configured this my all traffics is going through Remote Firewall only, how can i exclude particular network ?

Andre said...

Thank-you Don for the concise clear demonstration and explanation. Thank-you