Is it possible to set up split tunneling in AnyConnect Secure Mobility Client on Mac OS X?

Question

I don't find a way to set up split tunneling.

I basically need to use VPN to access certain websites behind a firewall and not to use VPN for anything not in the firewall. With Cisco AnyConnect Secure Mobility Client, I can either use the VPN or not to use it. I don't see a way to set for what domains and IP addresses to use VPN and for what domains and IP addresses not to use VPN.

It seems that my Cisco AnyConnect Secure Mobility Client is a customized version by my administrator (I am not quite sure. Can an administrator customize the software so that it will disable split tunneling?)

In that case, is there no way to set up split tunneling on Mac OS X while the VPN is on?

Answer 1

You will need to talk to your network administrator. The split tunneling feature is configured on the security appliance (Cisco ASA presumably), not on the AnyConnect client side.

When you are connect to the VPN either Cisco AnyConnect chooses to either (a) route all your traffic through the tunnel, or (b) split only traffic destined for networks on the other end of the tunnel.

There is an AnyConnect option on the client side to "Allow Local LAN Access", but this only allows your computer to see other devices, such as printers and whatnot, on your LAN (but not beyond).

Unless your network admin(s) want to create a custom connection for you with split tunneling, all traffic normally routed to your internet gateway will be sent through the tunnel. The rationale is that your network admins can filter / protect your web traffic to reduce an attack vector .. versus allowing you to connect insecurely to the internet at large while at the same time being connected as a remote node to the secure corp network. This creates a serious security vulnerability.