Writing an ACL for split tunneling

shikamarunara · ‎06-20-2013

Hello,

I am using a Cisco 2610 as an internet router for my home office. I've configured VPN on it so that I can tunnel traffic to it from outside. I've been using is for years, works like a champ. Now, I would like to change the ACL on the ISKMP client configuration to do something that seems counterintuitive but is really kind of straight forward. I've always used split tunneling as a technique for using a remote site's internet connection while being able to access my home office's resources. Now I would like to do the reverse - access internet through the home office's network but still be able to access the remote site's systems without engaging the VPN tunnel. For lack of a better term, I might call this a reverse split tunnel.

So far, I'm able to route all of my traffic throught the VPN interface by either deleting the ACL (which is not practical) or specifying;

access-list 108 permit ip any any

But this is also too broad because it tells my VPN interface to route everything. I would like to route ALMOST everything except for a list of subnets at the remote site. Can this be done?

Simon Brooks · ‎06-20-2013

Not sure of the command line syntax but in asdm under the group policy and in the split tunnel section you can define an acl and say DONT tunnel these networks. Just add your private address ranges into the acl.

Sent from Cisco Technical Support Android App

shikamarunara · ‎06-20-2013

This is what I reasoned as well, but it doesn't work.

access-list 108 deny ip 7.0.0.0 0.255.255.255.0 11.1.1.0 0.0.0.255 (this should disable routing to the 7 network with the VPN tunnel terminated at 11X)

access-list 108 permit ip any any (this should allow the rest through)