Split tunnel VPN

Liam Dwyer · ‎11-20-2013

This is a 2 part question...

How many split tunnel VPN's can a ASA5510 handle?

What are the necessary commands/steps to setting one up?

I have not done this in a while and I want to make I don't mess it up.

thanks

jumora · ‎11-20-2013

Configuration on the ASA is based on memory not amount but the limit of ACE within a split tunnel are the next:

Limitation with Number of Entries in a Split Tunnel ACL

There is a restriction with the number of entries in an ACL used for split tunnel. It is recommended not to use more than 50-60 ACE entries for satisfactory functionality. You are advised to implement the subnetting feature to cover a range of IP addresses.

ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Look at the next video:

http://tools.cisco.com/squish/653799

Value our effort and rate the assistance!

Liam Dwyer · ‎11-20-2013

apologies this is for a business to business split tunnel vpn.

should have said that to begin with...

jumora · ‎11-20-2013

In that case I would just remove the "sysopt connection permit VPN" from the ASA and configure ACL on the interface where the tunnel terminates to filter out the traffic.

That would be my suggestion

Value our effort and rate the assistance!

Liam Dwyer · ‎11-21-2013

Okay but this doesnt cover all the commands to configure or set up the peer to peer, correct?

jumora · ‎11-21-2013

If you remove the sysopt connection permit VPN traffic that is related to VPN needs to be filtered through normal ACL and access-group on the interface where you configure the tunnel.

How to configure the ASA for LAN to LAN IPSec:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Value our effort and rate the assistance!

Julio Carvajal · ‎11-21-2013

Use a VPN-Filter then! Where you could even match Port-Information

Regards

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marius Gunnerud · ‎11-21-2013

I am not sure I follow exactly what you want to do. Do you just want to set up split tunneling plain and simple, or do you want split VPN as well as restricting access to resources on your network?

Setting up split tunneling is basically done by defining the interesting traffic which is to be encrypted on a L2L setup. Here is a sample of how it would be set up on an ASA running version 8.3 or higher.

access-list cryptoACL extended permit ip 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0

crypto ipsec ikev1 transform-set SET esp-aes esp-sha-hmac

crypto map MAP 5 match address cryptoACL

crypto map MAP 5 set peer

crypto map MAP 5 set ikev1 transform-set SET

crypto map MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption aes

hash sha

group 2

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

ikev1 pre-shared-key

object network LOCAL_LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE_LAN

subnet 11.11.11.0 255.255.255.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

If you want to do VPN filtering then we would need to add some more commands to this.

--
Please remember to select a correct answer and rate helpful posts