(Mostly) No split-tunnel on Cisco VPN Clients

Split tunnel is where the person connected to your corporate network via their VPN can also go willy-nilly to the Internet at the same time.  This is generally considered to be a bad thing, though I have heard a “security consultant” recommend to the customer with me in the room to go ahead and do this because it made it easier for him to connect.

Bad consultant. He should learn about ‘bots, back-doors and virus/worms in general.

However there is an issue with no-split tunnel in the Cisco world, or at least using the VPN client version 5 and the ASA, and at least for trying to be selective.  By that I mean, what if I want to get to one thing locally and tunnel the rest.

The problem appears to be as soon as you don’t “Tunnel Everything” as your selection, and instead use “Tunnel Network List Below” trying to tell it to tunnel “any”, or even something like a wont stop traffic from going to everything behind the local interface.It seems that the /24 of the local wins the most specific route contest against the  ” tunnel this specific /8″ command that gets pushed down.

To use “Tunnel Network List Below” to prevent local traffic, add an entry in the ACL that matches the /24 of the local LAN (assuming it’s a /24, you get the idea).  Now when you display the routing table while the VPNs connected (netstat -nr in windows or unix) you will see the local LAN but also a matching route form the VPN, and it now stands a chance of winning.

See my next post aboput why the access list seemes to be reversed when applying an ACL to a VPN as either a tunnel list or filter list.

  1. #1 by Bil on May 2nd, 2009

    Okay, I lied, here is a one step fix. http://support.microsoft.com/kb/969144

(will not be published)