Filter
Top Products
33-71
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 33 Configuring Policy Objects for Remote Access VPNs
Add or Edit User Group Dialog Box
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in
encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not
bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel,
decrypted, and then routed to a final destination. The split tunneling policy is applied to specific
networks.
Tip For optimum security, we recommend that you not enable split tunneling.
Navigation Path
Select Full Tunnel > Split Tunneling from the table of contents in the Add or Edit User Group Dialog
Box, page 33-58.
Field Reference
Table 33-54 User Group Dialog Box—Split Tunneling Settings
Element Description
Tunnel Option Whether to allow split tunneling and if so, which traffic should be
secured or transmitted unencrypted across the public network:
• Disabled—(Default) No traffic goes in the clear or to any other
destination than the gateway. Remote users reach networks through
the corporate network and do not have access to local networks.
• Tunnel Specified Traffic—Tunnel all traffic from or to the
addresses listed in the Destinations field. Traffic to all other
addresses travels in the clear and is routed by the remote user’s
Internet service provider.
• Exclude Specified Traffic—Traffic goes in the clear from and to the
addresses listed in the Destinations field. This is useful for remote
users who want to access devices on their local network, such as
printers, while they are connected to the corporate network through
a tunnel.
Destinations The IP addresses for hosts or networks that identify the networks that
require traffic to travel across the tunnel and those that do not require
tunneling. Whether traffic to these addresses is encrypted and tunneled
to the gateway, or sent in the clear, is determined by your selection for
Tunnel Option.
Enter network addresses such as 10.100.10.0/24 or host addresses such
as 10.100.10.12. You can also enter the name of a network/host policy
object, or click Select to select the object from a list or to create a new
object. Separate multiple addresses with commas.
Exclude Local LANs Whether to exclude local LANs from the encrypted tunnel. This option
is available only if you selected the Exclude Specified Traffic tunnel
option. By selecting this option, you do not have to enter local LAN
addresses into the destinations field to allow users to communicate with
systems (such as printers) that are attached to their LAN.
When selected, this attribute disallows a non split-tunneling connection
to access the local subnetwork at the same time as the client.