split tunnel setup on asa 8.4 with asdm 6.4

Posted on 2012-08-15
Last Modified: 2012-08-23
we have anyconnect set up and working, except for split tunneling.

in the ASDM 6.4 I went to : remote access VPN > network (Client) access > group policies >  GroupPolicy_anyconnect_vpn > edit > advanced > split tunneling > then unchecked "inherit" on network list and have selected an ACL called "SPLIT-TUNNEL"

the ACL is pasted below from the CLI, these are all of our internal networks, everything is static routed and on the same vlan

SG-ASA-1# sho access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL; 10 elements; name hash: 0x25b1daf1
access-list SPLIT-TUNNEL line 1 extended permit ip (hitcnt=0) 0xe3a9484b
access-list SPLIT-TUNNEL line 2 extended permit ip (hitcnt=0) 0x377afd96
access-list SPLIT-TUNNEL line 3 extended permit ip (hitcnt=0) 0x0b4d6f9c
access-list SPLIT-TUNNEL line 4 extended permit ip (hitcnt=0) 0x7a6cc93f
access-list SPLIT-TUNNEL line 5 extended permit ip (hitcnt=0) 0xe228bdad
access-list SPLIT-TUNNEL line 6 extended permit ip (hitcnt=0) 0x317f80c8
access-list SPLIT-TUNNEL line 7 extended permit ip (hitcnt=0) 0xe4c276b0
access-list SPLIT-TUNNEL line 8 extended permit ip (hitcnt=0) 0x0c2dd3ab
access-list SPLIT-TUNNEL line 9 extended permit ip (hitcnt=0) 0x00a4d4e3
access-list SPLIT-TUNNEL line 10 extended permit ip (hitcnt=0) 0xfb381008

after that setting in the ASDM group policy, we tested unsuccessfully yesterday morning. They can connect and ping any of those inside networks but no internet. The asa log showed the following when a vpn client tried to ping

6      Aug 14 2012      07:51:04        4397      1433      Routing failed to locate next hop for TCP from to outside:

we can ping the inside network no problem after connecting to VPN from the outside. is our public IP that is on the outside interface which is the IP we use for

thanks in advance for any help
Question by:WAMSINC
    LVL 28

    Accepted Solution

    Split tunnel ACLs should be standard access lists.

    access-list SPLIT-TUNNEL line 1 standard permit ip


    Author Comment

    thank you for the reply, I will test this weekend and get back to you

    Author Closing Comment

    in the asdm I went to the split tunnel section of the anyconnect policy, and created a new standard ACL as you suggested, and that did the trick, thanks!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now