Skip to main content



Cisco Defense Orchestrator

Split Tunneling for RA VPN Users (Hair Pinning)

This article describes the split tunneling for RA VPN.

Typically, in remote access VPN, you might want the VPN users to access the Internet through your device. However, you can allow your VPN users to access an outside network while they are connected to an RA VPN. This technique is called split tunneling or hair pinning. The split tunnel allows VPN connectivity to a remote network across a secure tunnel, and it also allows connectivity to a network outside the VPN tunnel. Split tunneling reduces the network load on the FTD devices and increases the bandwidth on the outside interface. 

To configure a split-tunnel list, you must create a Standard Access List or Extended Access List. Follow the instructions explained in the How to Provide Internet Access on the Outside Interface for Remote Access VPN Users (Hair Pinning) section of Virtual Private Networks (VPN) chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running.

  • Was this article helpful?