71-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter71 Configuring Easy VPN Services on the ASA 5505
Configuring Split Tunneling
hostname(config)# no vpnclient trustpoint
hostname(config)#
Configuring Split Tunneling
Split tunneling lets a remote-access IPsec client conditionally direct packets over an IPsec tunnel in
encrypted form or to a network interface in clear text form.
The Easy VPN server pushes the split tunneling attributes from the group policy to the Easy VPN Client
for use only in the work zone. See Configuring Split-Tunneling Attributes, page67-49 to configure split
tunneling on the Cisco ASA 5505.
Enter the following command in global configuration mode to enable the automatic initiation of IPsec
tunnels when NEM and split tunneling are configured:
[no] vpnclient nem-st-autoconnect
no removes the command from the running configuration.
For example:
hostname(config)# vpnclient nem-st-autoconnect
hostname(config)#
Configuring Device Pass-Through
Devices such as Cisco IP phones, wireless access points, and printers are incapable of performing
authentication. Enter the following command in global configuration mode to exempt such devices from
authentication, thereby providing network access to them, if individual user authentication is enabled:
[no] vpnclient mac-exempt mac_addr_1 mac_mask_1 [mac_addr_2 mac_mask_2...mac_addr_n
mac_mask_n]
no removes the command from the running configuration.
mac_addr is the MAC address, in dotted hexadecimal notation, of the device to bypass individual
user authentication.
mac_mask is the network mask for the corresponding MAC address. A MAC mask of ffff.ff00.0000
matches all devices made by the same manufacturer. A MAC mask of ffff.ffff.ffff matches a single
device.
Note The mac-exempt list cannot exceed 15.
Only the first six characters of the specific MAC address are required if you use the MAC mask
ffff.ff00.0000 to specify all devices by the same manufacturer. For example, Cisco IP phones have the
Manufacturer ID 00036b, so the following command exempts any Cisco IP phone, including Cisco IP
phones, you might add in the future:
hostname(config)# vpnclient mac-exempt 0003.6b00.0000 ffff.ff00.0000
hostname(config)#