ASA - split-tunnel-policy command

When configuring a VPN on a Cisco ASA device, the split-tunnel-policy command can be used to specify which traffic will be encrypted and tunneled, and which traffic will be sent in the clear, when deploying a split-tunneling scenario for remote users.

The command syntax is the following:

split-tunnel-policy { tunnelall | tunnelspecified | excludespecified }

The keywords shown behave as follows:

  • tunnelall - This keyword specifies that no traffic goes in the clear or to any other destination than the ASA. Remote users reach Internet networks through the corporate network and do not have access to local networks.
  • tunnelspecified -This keyword tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear, and is routed by the remote user’s Internet service provider.
  • excludespecified - This keyword defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel.