Connect with us

Hi, what are you looking for?


Split Tunneling in Cisco VPN and AnyConnect Client – Team Karneliuk

Split Tunneling in Cisco VPN and AnyConnect Client – Team Karneliuk


Hello my friend,

In this article I want to cover the topic of split tunneling, which is part of VPN technologies. It is a very good technology that can help you introduce new services to your network on a per-user basis without having to create a site-to-site VPN. Cisco VPN Client and Cisco AnyConnect Client both offer you this capability, so we’ll compare them and identify differences in configuration. ready?


One of the main goals of my blog is to help you and help me prepare for CCIE SP. On the other hand, there are a lot of practical cases that happen in my job. And while it’s not essential in regards to an SP file, it has great practical value and can help you shorten the time needed for execution and troubleshooting of networking solutions. Just copy and paste it.

The main idea of ​​digging spilled tunnels

From the wording itself you can understand that we divide something. In the case of a VPN tunnel, we split the traffic so that part of it is sent through the tunnel, and the second part is sent normally over the local area network (LAN). If we talk about an ordinary IPSec VPN, then this division is achieved by access lists (ACLs), which select interesting traffic. Interesting traffic means that the IP packets of this stream correspond to the IP addresses of the source/destination and/or transport ports in the access list associated with the VPN.

In the case of remote access VPNs, either we are using SSL’s IPSec, we don’t have any client-side configured access lists. So all the configuration is done at the end of the VPN, which is usually Cisco ASA nowadays if we talk about Cisco Systems. Also, the client is now usually Cisco AnyConnect. Previously it was also a Cisco VPN client, but today it has expired and support has ended. Split tunneling in a remote access VPN is usually accomplished by an authorization process.

In two words we can explain this process as follows.

If the name is “ABC” and you are authenticated, you can access the network “”

This is. Split tunneling has a direct logic in its background.

real world scenario

I can give you a real world scenario, where you can use this solution. If your company uses some external application or database that requires access to another company’s internal resources or you provide this service yourself, split tunneling is a prime option for you. If you need to provide access to this service for a lot of employees, you should use a Site-to-Site VPN. However, remote access VPN helps you to simplify connection service management, as you only have to configure one profile for all external users.

How it works – Cisco AnyConnect Client

Cisco AnyConnect Client is the only Cisco software client you should use right now. The primary transport can be either SSL or IPSec, but in any case this configuration is done at the end of the VPN header.

To be more precise, let’s say we want to provide network access to clients. Let’s take a look at how configuration is done in Cisco ASA.

First of all, you have to configure AnyConnect profile in VPN tab for remote access. So you can get there via “Configuration” -> “Remote Access VPN” -> “AnyConnect Connection Profile”.

To create a new one, you must press “Add” and to modify the existing list, you must press “Modify”. In our case, the necessary profile is already configured, so we use “Edit”.

It is the main part of AnyConect profile configuration, and from here you can access all the details. The most important option here is Group Policy, where you can configure the Tunnel OS parameter, supported protocols, and also split tunneling. But before we move on to configuring the policy, we need to create the necessary alias and URL in order to have the ability to link to that particular profile and get those particular paths.

This URL will be used more when you create a VPN connection, so we will enter “” in the Cisco AnyConnect client. Ok, that part is done and we can proceed with configuring the policy.

In addition to the previous images, you must either “add” a new policy or “edit” an existing one. I omitted the tunnel protocol configuration because it is not relevant to the article. You can configure whatever you want for Cisco AnyConnect. But what is convenient is the “Split Tunneling” configuration under the “Advanced” configuration.

There are three options for how to perform a VPN tunnel for remote access. The first is “Tunnel all traffic”, which means that all traffic is tunneled from the remote machine to that Cisco ASA. From a technical point of view, it appears that the remote client only receives the default route “” from the VPN master end and installs it into its routing table at the lowest scale. It’s not just about providing access to certain resources (network The second option is “Tunnel Network List Below”. This means that only those paths allowed in the access list chosen in the Network List will be installed. This is what we need for Cisco AnyConnect Split Tunneling. The third option will appear in the following case. So I select the policy type “tunnel network list below” instead of “inherit” and then select the necessary access list.

This is all about AnyConnect’s simple connection profile with split tunneling. We just apply and save the configuration. It will work as follows:

Send to the remote client the paths allowed by the access list. All other traffic must be sent locally without the VPN.

let’s try it. We open the Cisco AnyConnect client and enter the necessary link including the profile URL. After successful authentication we can see what paths we receive.

We have achieved our goal of providing only subnet access.

How it works – Cisco VPN Client

In fact, it is an old client that is no longer officially supported by Cisco. Despite this fact it is still widely used nowadays. It was fine some time ago, but if you now have the possibility to perform the migration to Cisco AnyConnect, you should definitely do so. The main problem with any transition to a new program is that customers may completely disagree with you, because they have to learn something new. About 70% of customers panic when they have to use new software. And try to avoid doing so by complaining to the account managers. Well, I ran into such a situation myself and had to configure the split tunneling of the Cisco VPN client. The main problem here is that it works very differently compared to Cisco AnyConnect.

For the legacy Cisco VPN client as well as for other third-party IPSec VPN clients, the configuration is done under “Configuration” -> “Remote Access VPN” -> “IPsec” [IKEv1] Connection Profile”. It looks exactly like the “AnyConnect” part, so we don’t provide a screenshot of it. There you can either “add” a new profile or “edit” an existing one.

There are two main differences compared to AnyConnect. The first is that you have to configure a pre-shared key for that profile. The same key will be configured later in the Cisco VPN Client as well. So you have two-factor authentication, where the first is the password for the profile and the second is the unique username/password for each user. The second difference is that you don’t know the URL or alias configuration of ant to access that profile. In fact, you have to configure the profile name, which is “Split_tunnel_VPN_Client” in our case, on the part of the Cisco VPN Client. We’ll show later how you can do this.

Then we configure group policy, to provide network access only

Here we come to the main difference. Remember, I said earlier that we have 3 options for split tunneling policies, while I only explained two? Well, time to explain the third. It’s called “Exclude Network List Below” and it works like this:

Don’t tunnel traffic only to certain subnets, other traffic must be routed to the front-end VPN.

It is the only Cisco VPN client supported mode. Unfortunately, it does not support “embed” mode, which is what we used for the Cisco AnyConnect profile. It is somewhat disappointing, because we have to make up a very long access list to cover this gap.

Actually it should be longer, but I don’t use any subnets beside or in my network. You should think of this ACL as:

The networks allowed in this ACL have been denied to be tunneling.

At the end of the day you should reject all subnets next to Silly, isn’t it? But it is the only way to achieve the necessary behavior with Cisco VPN Client. I’m assuming other vendors don’t have such a limitation in their VPN clients, and Cisco also doesn’t have that in their AnyConnect clients. But if you have to use the old Cisco VPN client, just use this solution.

Now, let’s configure the Cisco VPN client itself.

Under the Authentication tab, you can configure the profile name and pre-shared key that you have already configured in Cisco ASA.

In the “Transport” tab, the most important feature is “Allow access to the local LAN”. Without this feature enabled, received paths will not work properly.

Let’s test, if our configuration works.

After successful authentication we can check the parameters of the created tunnel. In the first tab, we must check that the local LAN connection is allowed. It assures us that traffic to the paths, which we have allowed to be excluded under the profile configuration, will be sent locally.

In the next tab, we already see that the default path points to VPN, but there are a lot of local LAN paths. In fact, all public paths and almost all private paths are a local LAN.


In this article, we compare the configuration and operation of split tunneling for software-based Cisco VPN solutions. Although Cisco VPN Client and Cisco AnyConnect Client are made by Cisco, their nature is completely different. This difference leads to a different approach to profile configuration. Generally, legacy VPN clients only have an option for IPSec and it uses IKEv1. Sometimes that brings a lot of problems, if you have VPN clients behind NAT and Site-to-Site VPN to the same end. On the other hand, AnyConnect gives you capabilities to use SSL instead of IPSec, which makes the VPN run at Layer 7 of the OSI model. So your long-term goal should be to migrate to Cisco AnyConnect, if you are using Cisco ASA as the main party.

lessons learned

Sometimes you cannot change the operating environment of your company or your partners. These constraints require you to be more flexible and open. I love these challenges, because solving them brings me a lot of fun and experience. If you can’t find a quick answer in the Cisco Configuration Guides, try to find your own answer. I am quite confident that a good understanding of network technologies will help you in any difficult situation.

support us

Support for new interoperability and automation articles at
I would like to support with:
9.99 € 4.99 € 24.99 € 49.99 € 99.99 € 199.99 €

Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *



AnyConnect certificate-based authentication. Cisco community 👨‍💻 The information in this document is based on the following software and hardware versions: ASA 5510 running software...


ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...


Top 5 Free AV Packages – 👌 Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...


Download antivirus for free. Best antivirus protection 👨‍💻 Protecting your identity, banking information and privacy Cybercriminals want your credit card details, passwords and other...