33-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter33 Configuring Policy Objects for Remote Access VPNs
ASA Group Policies Dialog Box
ASA Group Policies Split Tunneling Settings
Use the Split Tunneling settings to configure a secure tunnel to the central site and simultaneous clear
text tunnels to the Internet. These settings apply to Easy VPN and remote access IPSec and SSL VPN
configurations.
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in
encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not
bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel,
decrypted, and then routed to a final destination. The split tunneling policy is applied to specific
networks.
Tip For optimum security, we recommend that you not enable split tunneling.
Navigation Path
Select Split Tunneling from the table of contents in the ASA Group Policies Dialog Box, page33-1.
Field Reference
Secondary WINS Server The IP address of the primary WINS server for the group. Enter the IP
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
DHCP Network Scope The scope of the DHCP network for the group. Enter the IP network
address or the name of a network/host object, or click Select to select
an object from a list or to create a new object.
Default Domain The default domain name for the group. The default, blank, is none.
Table33-12 ASA Group Policies DNS/WINS Settings (Continued)
Element Description
Table33-13 ASA Group Policies Split Tunneling Settings
Element Description
DNS Names A list of domain names to be resolved through the split tunnel. All other
names are resolved using the public DNS server. If you do not enter a
list, the list is inherited from the default group policy.
Separate multiple entries with spaces or commas. The entire string can
be a maximum of 255 characters.
Send all DNS traffic through
the tunnel
Whether the AnyConnect client should resolve all DNS addresses
through the VPN tunnel (SSL or IPsec/IKEv2). If DNS resolution
through the tunnel fails, the address remains unresolved and the
AnyConnect client does not try to resolve the address through public
DNS servers.
If you do not select this option, the client sends DNS queries over the
tunnel according to the split tunnel policy specified by the Tunnel
Option setting.