There have been so many questions about how to configure split-tunneling on PIX. So right to the point;

Internal Network :: 10.0.4.0/24

VPN Pool :: 10.1.4.0/24

Config goes here;

access-list nonat permit ip 10.0.4.0 255.255.255.0 10.1.4.0 255.255.255.00

access-list split permit ip 10.0.4.0 255.255.255.0 10.1.4.0 255.255.255.0

nat(inside) 0 access-list nonat

vpngroup <GroupName> split-tunnel split

Now it goes into respective configuration section of nat and vpngroup configuration sections. Question is why 2 access-list ? ‘nonat’ and ‘split’

Cisco recommends it to be that way and otherwise found running into problems at times.