Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring SSL VPN Connections, Advanced, Configuring Split Tunneling

69-112

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

System Options

Configuring SSL VPN Connections, Advanced

The advanced options include configuring split tunneling, IE browser proxy, and group-policy related

attributes for SSL VPN/AnyConnect clients and IPsec clients.

Configuring Split Tunneling

Split tunneling lets you specify that certain data traffic is encrypted (“goes through the tunnel”), while

the remainder is sent in the clear (unencrypted). Split-tunneling network lists distinguish networks that

require traffic to go through the tunnel from those that do not require tunneling. the ASA makes

split-tunneling decisions based on a network list, which is an ACL consisting of a list of addresses on

the private network.

The AnyConnect client and the legacy Cisco VPN client (the IPsec/IKEv1 client) behave differently

when passing traffic to sites within the same subnet as the IP address assigned by the ASA. With

AnyConnect, the client passes traffic to all sites specified in the split tunneling policy you configured,

and to all sites that fall within the same subnet as the IP address assigned by the ASA. For example, if

the IP address assigned by the ASA is 10.1.1.1 with a mask of 255.0.0.0, the endpoint device passes all

traffic destined to 10.0.0.0/8, regardless of the split tunneling policy.

By contrast, the legacy Cisco VPN client only passes traffic to addresses specified by the split-tunneling

policy, regardless of the subnet assigned to the client.

Therefore, use a netmask for the assigned IP address that properly references the expected local subnet.

Fields

•DNS Names—Specify one or more DNS names to which this policy applies.

•Send All DNS Lookups Through Tunnel—Instructs the AnyConnect client to resolve all DNS

addresses through the VPN tunnel (SSL or IPsec/IKEv2). If DNS resolution fails, the address

remains unresolved and the AnyConnect client does not try to resolve the address through public

DNS servers. If you choose No (the default), the client sends DNS queries over the tunnel according

to the split tunnel policy.

•Policy—Selects the split-tunneling policy, specifying whether to include or exclude from the tunnel

the indicated network lists. If you do not select Inherit, the default is Exclude Network List Below.

•Network List—Selects the networks to which to apply the split-tunneling policy. If you do not select

Inherit, the default is --None--.

If you use extended ACLs, the source network determines the split-tunneling network. The

destination network is ignored. In addition, because any is not an actual IP address or network

address, do not use the term for the source in the ACL.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Configuring SSL VPN Connections, Advanced, Configuring Split Tunneling