Split Tunnel not working Cisco ASA

Posted on 2008-06-25
Last Modified: 2012-08-14

I just installed and configured a new Cisco ASA 5510.  I have enabled a Remote VPN config and users can connect just fine.  For some reason when VPN'ed in users cannot access the internet.  I have split tunneling enabled on the group policy but its still not working.  

Attached Cleaned config.

Thank You,
GPF-ASA-01# sh run

: Saved


ASA Version 7.2(3)16


hostname GPF-ASA-01


interface Ethernet0/0

 nameif outside

 security-level 0

 ip address X.X.78.19


interface Ethernet0/1

 nameif inside

 security-level 100

 ip address


interface Ethernet0/2


 no nameif

 no security-level

 no ip address


interface Ethernet0/3


 no nameif

 no security-level

 no ip address


interface Management0/0

 nameif management

 security-level 100

 ip address



ftp mode passive

dns server-group DefaultDNS


dns server-group Public

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in remark temporary access to download VPN Client

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark Allows Email from off site SPAM filter

access-list outside_access_in extended permit tcp X.X.45.224 interface outside eq smtp

access-list outside_access_in remark Allows Email from off site SPAM filter

access-list outside_access_in extended permit tcp host X.X.211.73 interfaceoutside eq smtp

access-list outside_access_in remark Allows Email from off site SPAM filter

access-list outside_access_in extended permit tcp host X.X.216.115 interface outside eq smtp

access-list outside_access_in remark Access mail site.

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in remark Access mail site

access-list outside_access_in extended permit tcp any interface outside eq https

access-list G*******08!_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any

access-list outside_in extended permit tcp any host X.X.78.19 eq ftp

access-list nonat extended permit ip

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool VPN_IP_Pool mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list nonat

nat (inside) 101

static (inside,outside) tcp interface ftp ftp netmask

static (inside,outside) tcp interface https https netmask

static (inside,outside) tcp interface smtp smtp netmask

static (inside,outside) tcp interface www www netmask

access-group outside_access_in in interface outside

route outside X.X.79.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server DomainController protocol radius

aaa-server DomainController (inside) host

 timeout 5

 key R********!

http server enable

http management

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet inside

telnet timeout 5

ssh X.X.133.48 outside

ssh timeout 5

ssh version 2

console timeout 5

dhcpd address management

dhcpd enable management


group-policy DfltGrpPolicy attributes

 banner none

 wins-server value

 dns-server value

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list value G*********08!_splitTunnelAcl

 default-domain none

 split-dns none

 intercept-dhcp disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none


  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not

 been met or due to some specific group policy, you do not have permission to us

e any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy GP********08! internal

group-policy G*********08! attributes

 dns-server value

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelall

 split-tunnel-network-list value G********8!_splitTunnelAcl

 address-pools value VPN_IP_Pool

tunnel-group G**********8! type ipsec-ra

tunnel-group G**********8! general-attributes

 address-pool VPN_IP_Pool

 authentication-server-group DomainController

 default-group-policy G**********8!

tunnel-group G**********8! ipsec-attributes

 pre-shared-key *


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context

Open in new window

Question by:RSMTECH_KC
1 Comment

Accepted Solution

RSMTECH_KC earned 0 total points
ID: 21870271

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.c…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now