Showing results for 
Search instead for 
Did you mean: 

Split Tunnel problem.

Occasional Contributor

Split Tunnel problem.

We have an external company who has access into a few subnets of our LAN via a network connect policy.

They have complained that when they connect via network connect they loose access to the Internet

Network Connect Access Policies we have defined the two subnets they need access to on our LAN.

I'm just not sure what Split Tunnel mode i should use.

Currently the split tunnel mode is "Enable Split Tunneling with allowed access to local subnet"

Is this the best way to configure split tunneling for this requirment?

Does anything else need to be configured

Regular Contributor

Re: Split Tunnel problem.

i had the same issue with external vendors using NC, it was assigning them one of the IP's on OUR network so their IP phones would lose connectivity, the only way i was able to correct this was moving them to WSAM

Frequent Contributor

Re: Split Tunnel problem.

Enabling split tunneling is the way to allow access to VPN protected resources and simlutaneously allow access to internet.

Since you have selected 'Enable split tunneling with allowed access to local subnets' it just ensures that you still get access to your local network even after from where you are trying to estalish the SSL VPN connection.

Along with the network connect ACL's you will also need to add split tunneling policies which contains those 2 networks which are protected over SSL VPN.

Why you need network connect ACL's and split tunneling policies?

Split tunneling policy tell the client what traffic needs to be tunnled.

Network connect ACL's tell the SSL VPN device what traffic to allow and deny.

Occasional Contributor

Re: Split Tunnel problem.

In order to clear things a bit more up for you:

Normally, when setting up a NC the default route is altered to send traffic to the SA. This means that all traffic not destined for the local subnets of your networkcards will be sent to the SA, including all internet traffic thus. You could allow the user to internet over your connection, but that wouldn't be very wise usually and due to the added delays undesirable too.

Anyways with split tunneling you can tell what subnets are behind the SA. Then only routes for those subnets are added and pointed to the SA. You can verify this in your routing table. All other traffic will take the normal routes as already configured on the client machine.

Here you can see my routing table with split tunneling:

flaptoppy ~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface UH 1 0 0 eth0 UGH 1 0 0 eth0 UG 1 0 0 tun0 U 1 0 0 eth0 UG 1 0 0 tun0 UG 0 0 0 lo UG 0 0 0 eth0

As you can see only and are routed to the SA. Hope this clarifies.

Super Contributor

Re: Split Tunnel problem.

You need to keep in mind that the 'allow access to local subnet' is doing just that. If that company has an internal network of and have subnetted that /16 network into various /24s, then while they will continue to have access to 10.32.x.0/24, they won't be able to access any other internal subnets. It it were me, I'd have purchasing and legal (who negotiated the contract) ammend the contract to specifiy the use of a site-to-site VPN with appropriate f/w rules for both parties. I realize that this doesn't answer your question, but would be how I would handle it because even if you allow NC over ESP, only the first user connected is going to be able to use it, everyone else will fall back to NC over SSL.