Cisco ASA: Split-tunneling

According to Cisco split tunnel defines traffic to which subnets will be encryted.
In reality it defines how traffic to different subnets is routed, it actually changes client’s routing table once it’s connected.

Let’s say your corporate network uses the following IP space:
192.168.8.0/24
192.168.9.0/24
192.168.10.0/24
192.168.0.0/24 – VPN subnet

There are three split-tunneling options:
1. Tunnel specified subnets:

# split-tunnel-policy tunnelspecified
# split-tunnel-network-list value Split_Tunnel_List

# access-list Split_Tunnel_List standard permit 192.168.8.0 255.255.255.0
# access-list Split_Tunnel_List standard permit 192.168.9.0 255.255.255.0
# access-list Split_Tunnel_List standard permit 192.168.10.0 255.255.255.0

# access-list NONAT extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0 255.255.255.0
# access-list NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
# access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

In post 8.2 version last 3 lines will be replaced with:

# object network obj-192.168.0.0-vpn
#  subnet 192.168.0.0 255.255.255.0
# object network obj-192.168.8.0-vpn
#  subnet 192.168.8.0 255.255.255.0
# object network obj-192.168.9.0-vpn
#  subnet 192.168.9.0 255.255.255.0
# object network obj-192.168.10.0-vpn
#  subnet 192.168.10.0 255.255.255.0
#  nat (inside,outside) source static obj-192.168.8.0-vpn obj-192.168.8.0-vpn destination static obj-192.168.0.0-vpn obj-192.168.0.0-vpn
#  nat (inside,outside) source static obj-192.168.9.0-vpn obj-192.168.9.0-vpn destination static obj-192.168.0.0-vpn obj-192.168.0.0-vpn
#  nat (inside,outside) source static obj-192.168.10.0-vpn obj-192.168.10.0-vpn destination static obj-192.168.0.0-vpn obj-192.168.0.0-vpn

2. Tunnel all traffic (everything including communication with hosts on the Internet will be routed through corporate network):

# split-tunnel-policy tunnelall

# same-security-traffic permit intra-interface

# nat (outside) 1 192.168.0.0 255.255.255.0
(where 1 matches global statement)

In post 8.2 version last line will be replaced with:

# object network obj-192.168.0.0-vpn
#  subnet 192.168.0.0 255.255.255.0
# nat (outside,outside) source dynamic obj-192.168.0.0-vpn interface
# nat (outside,inside) source static obj-192.168.0.0-vpn obj-192.168.0.0-vpn

3. Exclude specified subnets from tunneling

# split-tunnel-policy excludespecified
# split-tunnel-network-list value Split_Tunnel_List
<…>

This configuration is a part of Remote Access VPN.