如下图,在配置远程×××组策略属性时可以设定分离隧道的模式。Cisco支持三种模式:excludesspecified (选择性不在分离隧道), tunnelall (全部在分离隧道),tunnelspecified (选择性在分离隧道),并且这三种模式不可以同时使用在一个组策略上。

p_w_picpath
      
      下面说说三种模式的主要区别:
      1) excludespecified主要用于 允许访问客户端本地网络(Allow Local Network Access),去公司内网以及Internet都要走分离的隧道。配置实例: Allow Local LAN Access for ××× Clients Configuration Example

      2) tunnelall所有的流量(包括去公司内网,Internet)都在分离隧道上,不可以访问客户端本地网络。默认设置为此。

      3) tunnelspeficied允许访问客户端本地网络以及Internet,只有去公司内网的流量走分离隧道。配置实例: Allow Split Tunneling for ××× Clients on the ASA Configuration Example

Cisco对三种模式的解释如下。 需要更多信息?

The excludespecified keyword defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco ××× client.

The tunnelall keyword specifies that no traffic goes in the clear or to any other destination than the security appliance. This, in effect, disables split tunneling. Remote users reach Internet networks through the corporate network and do not have access to local networks. This is the default option.

The tunnelspecified keyword tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's Internet service provider.