Split-Tunnel vs. Local LAN Access Tidbit

In this tidbit I want to cover split-tunneling and local lan access by providing an overview of each & how they differ. First off split-tunneling and local lan access are two separate things. Here is a quick breakdown of each:

  • Split-tunneling: allows you to specifically configure what traffic is sent over the vpn tunnel, and what traffic is unencrypted and sent over internet via local network gateway. With some concern that introduces security risks.

  • Local Lan Access: is a hybrid solution that tunnels all traffic over VPN (encrypted), but local network access is allowed & unencrypted. Note though that the local network access is restricted to that subnet only. Essentially once configured & allowed, "Allow local LAN access" automatically detects and permits the local LAN connectivity, while tunneling & securing everything else.

A very high level example of each from ASA CLI would look like this:

Local lan cli config example:
group-policy LOCAL_LAN_GP attributes
split-tunnel-policy excludespecified
split-tunnel-network-list value <standard acl name>

split tunnel cli config example:
 group-policy SPLIT_TUNNEL_GP attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value <acl name>
 split-tunnel-all-dns disable

A high level example of each from ASDM perspective:

ASDM Group Policy config to allow local lan access:

ASDM Group Policy config to allow split-tunneling:


Overview of each from AnyConnect GUI perspective:

AnyConnect perspective when allowing local lan access:

AnyConnect perspective when allowing split-tunneling:

AnyConnect no local lan access or split tunneling allowed (tunnel & encrypt everything over VPN):


See more VPN related topics via tags or tabs. Cheers!

0 comments

Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization