Cisco ASA 5505 Split Tunnel Multiple Networks Not Working

I have an ASA 5505 and cannot get Internet access for VPN users.

Config Layout is specified below.

ASA (>( Core Switch (
Below is my config.

ip local pool REMOTE
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description To Core Switch
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network INSIDE_SUBNET
object network VPN_Clients
object-group icmp-type ALLOW_ICMP
icmp-object echo-reply
icmp-object unreachable
icmp-object traceroute
icmp-object time-exceeded
object-group network RemoteVPN_LocalNet
access-list INBOUND extended permit icmp any any object-group ALLOW_ICMP
access-list SPLIT_TUNNEL remark The corp network behind ASA
access-list SPLIT_TUNNEL extended permit ip object-group RemoteVPN_LocalNet
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static INSIDE_SUBNET INSIDE_SUBNET destination static INSIDE_SUBNET INSIDE_SUBNET no-proxy-arp route-lookup
nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static VPN_Clients VPN_Clients
object network INSIDE_SUBNET
nat (inside,outside) dynamic interface
access-group INBOUND in interface outside
route inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1 mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 mode transport
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map REMOTE 10000 set ikev1 transform-set ESP-AES256-SHA1 ESP-AES128-SHA1
crypto map OUTSIDE_MAP 10000 ipsec-isakmp dynamic REMOTE
crypto map OUTSIDE_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
tunnel-group DefaultRAGroup general-attributes
address-pool REMOTE
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

do you mean that when remote vpn users are connected, they can not access internet sites any more but access to resources through the vpn work ok? then when they disconnect from the vpn, they can again access the internet?

are all the internal network devices in 10.5.1/24? the split tunnel access list and route internal network statements dont quite align.

within the anyconnect client, have you ticked the box "allow local (LAN) access when using VPN"? its within the settings area (the cog icon next to the graph icon, lower left side in 3.1).

please capture output from "show vpn- detail any" on the asa, when you have a user session up, to verify that the expected group policy is being called.
Pete LongTechnical ConsultantCommented:
This appears to not be required

access-list SPLIT_TUNNEL extended permit ip object-group RemoteVPN_LocalNet

Add the following then remove it

access-list SPLIT_TUNNEL extended permit ip object-group RemoteVPN_LocalNet any
no access-list SPLIT_TUNNEL extended permit ip object-group RemoteVPN_LocalNet

gustavomorAuthor Commented:
I am using native Windows/Mac VPN client and not the AnyConnect application.

Yes VPN users can access internal resources but lose connectivity to Internet when connected to VPN.

Once a user disconnects from the VPN they regain access to the Internet.

Internal users are on network.

The split tunnel access list is so users can use their local internet connection instead of the internet connection in HQ office.

My understanding was that a split tunnel ACL needed to be created and applied on the group policy
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Pete LongTechnical ConsultantCommented:
Your split tunnel ACL should allow the networks protected behind the ASA to any

Cisco ASA - Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

gustavomorAuthor Commented:
I do not have access to ASDM, but I do all configuration from cli.

I followed that tutorial with cli option but no success.

the object group network VPNRemote_LocalNet includes all my internal networks which are and I have applied the ACL against the allowed object network group

I am not sure what I am missing as everything looks fine based on all online research I have done.
your configuration looks to be more or less correct. i suspect this problem is due to client behaviour.

in the native mac vpn client, there is an option "send all traffic over vpn connection" under "advanced" button for pptp and l2tp over ipsec types. there does not appear to be such an option for cisco ipsec type. this option should be cleared, to allow access to the local network when vpn is connected. i dont have access to windows at the moment but presume there must be a similar option there.

in testing, the native mac pptp vpn setting will work with anyconnect configuration on the asa, but  the "allow access to local" option seems to have no effect - either set or cleared i was able to access vpn services and direct to the internet, while the vpn was connected. with cisco's anyconnect vpn client, it all works as expected.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gustavomorAuthor Commented:
I had the send all traffic on native mac VPN check, when I uncheck the box it worked automatically thanks pgolding00.

On windows machines you need to have the *Use default gateway on remote network* box unchecked.  This is found under the advanced tab of TCP/IP properties for the VPN Client.   Select VPN Client > Properties > Networking > Internet Protocol TCP/IP > Properties > Advanced and clear the check box.

I have been working on this for 1 week already with no success until your suggestions.

Thanks everyone for helping me figure this out. My config was right all along except for these options on the native machine vpn client (windows and mac).
gustavomorAuthor Commented:
Quick response to question with very clear and concise information.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.