We have an external company who has access into a few subnets of our LAN via a network connect policy.
They have complained that when they connect via network connect they loose access to the Internet
Network Connect Access Policies we have defined the two subnets they need access to on our LAN.
I'm just not sure what Split Tunnel mode i should use.
Currently the split tunnel mode is "Enable Split Tunneling with allowed access to local subnet"
Is this the best way to configure split tunneling for this requirment?
Does anything else need to be configured
i had the same issue with external vendors using NC, it was assigning them one of the IP's on OUR network so their IP phones would lose connectivity, the only way i was able to correct this was moving them to WSAM
Enabling split tunneling is the way to allow access to VPN protected resources and simlutaneously allow access to internet.
Since you have selected 'Enable split tunneling with allowed access to local subnets' it just ensures that you still get access to your local network even after from where you are trying to estalish the SSL VPN connection.
Along with the network connect ACL's you will also need to add split tunneling policies which contains those 2 networks which are protected over SSL VPN.
Why you need network connect ACL's and split tunneling policies?
Split tunneling policy tell the client what traffic needs to be tunnled.
Network connect ACL's tell the SSL VPN device what traffic to allow and deny.
In order to clear things a bit more up for you:
Normally, when setting up a NC the default route is altered to send traffic to the SA. This means that all traffic not destined for the local subnets of your networkcards will be sent to the SA, including all internet traffic thus. You could allow the user to internet over your connection, but that wouldn't be very wise usually and due to the added delays undesirable too.
Anyways with split tunneling you can tell what subnets are behind the SA. Then only routes for those subnets are added and pointed to the SA. You can verify this in your routing table. All other traffic will take the normal routes as already configured on the client machine.
Here you can see my routing table with split tunneling:
flaptoppy ~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.20.30.254 0.0.0.0 255.255.255.255 UH 1 0 0 eth0
18.104.22.168 10.20.30.254 255.255.255.255 UGH 1 0 0 eth0
192.168.255.0 10.230.255.1 255.255.255.0 UG 1 0 0 tun0
10.20.30.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
10.240.0.0 10.230.255.1 255.255.0.0 UG 1 0 0 tun0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 10.20.30.254 0.0.0.0 UG 0 0 0 eth0
As you can see only 192.168.255.0/24 and 10.240.0.0/16 are routed to the SA. Hope this clarifies.