From Internetworkpro

This page is currently in progress and is not completed Please note that the information on this page is pending completion by the author. You can help contribute by using the edit tab above. See where else you can help at Category:InProgress

This page or section provides device configuration instructions Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed. See more examples at Category:Configuration

(Temporary page author note - I am (sartan) creating this page because I personally find split tunnelling and implementation to be cumbersome and confusing, I always mix up configuration 'direction' with crypto on both ios and asa platforms. The best way to learn is by teaching so I am creating this page.)

[edit] Overall practice

"Full" tunnel

• Insert diagram here*

"Split tunnel"

• Insert diagram here*

[edit] Real world scenarios

[edit] SOHO file and print sharing

[edit] Office VPN, user ISP Internet

[edit] Internet access from protected LAN

[edit] Security issues

Since split tunnels allow for end clients to remain connected to untrusted third party elements, some corporations may opt to disable any split tunnelling feature on an end client.

[edit] Common Elements=

Most implementations will manipulate the host routing table to instruct the end-client which networks to encrypt and which networks not to.

[edit] IOS

[edit] Troubleshooting

[edit] Cisco Fat VPN Client

[edit] Cisco SSL VPN Client

[edit] ASA

[edit] ScreenOS

Put simply, ScreenOS does not support split tunnelling. Client-initiated software VPN on the ScreenOS platform only support one single subnet, and there is no mechanism to implement a split tunnel toward the host.