cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
861
Views
0
Helpful
4
Replies

Cisco ASA site to site vpn - reconfigure split tunnel to full tunnel

AntWrig
Level 1
Level 1

Hello all, 

I require some assistance in converting a split tunnel site to site connection to a full tunnel. I have read multiple posts, articles etc. From what I gather I need to set the crypto acl to source (Local Lan) and destination ANY. Is this correct? At the HQ side it should be the opposite (Local Lan) destination correct? 

 

It should be noted that the remote site is currently using DYNAMIC natting when accessing the internet. I know there are some configuration changes that need to be made to NAT on the HQ firewall correct? What exactly needs to be modified? I would post configs but the HQ firewall is so cluttered it would be very hard to pull out any relevant configuration information from the show run.  

 

Oh and also, regarding the term "crypto acl", I am going to assume that means the crypto map? 

 

Thanks for all your help. 

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

Regarding the term crypto acl yes that does refer to the acl used in the crypto map.

 

If you want to change the remote site to full tunnel, you would need to change its crypto acl to permit any as the destination. And you would need to remove any configured address translation (since all translation will now occur at HQ). At HQ you would need to make corresponding changes in its crypto acl. You would need to configure address translation for all traffic with source address in the remote LAN. And you would need to be sure that there is a permit same security level intra interface.

 

HTH

 

Rick

HTH

Rick


@Richard Burts wrote:

Regarding the term crypto acl yes that does refer to the acl used in the crypto map.

 

If you want to change the remote site to full tunnel, you would need to change its crypto acl to permit any as the destination. And you would need to remove any configured address translation (since all translation will now occur at HQ). At HQ you would need to make corresponding changes in its crypto acl. You would need to configure address translation for all traffic with source address in the remote LAN. And you would need to be sure that there is a permit same security level intra interface.

 

HTH

 

Rick


I appreciate the response, so to recap:

Remote Office: 

- Change crypto acl to permit any as the destination

- Remove configured address translation

Home Office: 
- Change crypto acl to permit any as the destination

- Configure address translation

- Add permit same security level intra interface

 

Looks good? 

 

Almost right. For Home Office the crypto acl destination is remote LAN and source is any. And in doing the address translation be sure that traffic with remote LAN as source is translated but any traffic with remote LAN as destination is not transmitted.

 

HTH

 

Rick

HTH

Rick

I forgot to mention that all HQ/HO office traffic is filtered through two proxies. I am looking at the NAT rules on the HQ/HO and  Remote Office firewalls and all I see are: 

 

HQ/HO

nat (outside,outside) source static NETWORK_OBJ_1.1.1.0_24 NETWORK_OBJ_1.1.1.0_24 destination static ALPHA-NET-Outside ALPHA-NET-Outside no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_1.1.1.0_24 NETWORK_OBJ_1.1.1.0_24 destination static ALPHA-Net-inside ALPHA-Net-inside no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_1.1.1.240_31 NETWORK_OBJ_1.1.1.240_31 no-proxy-arp route-lookup

 

Remote Office: 

global (outside) 1 5.5.5.198- 5.5.5.206 netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 ALPHA-NET-inside-new 255.255.255.192
nat (inside) 1 ALPHA-Net-inside 255.255.255.0
static (inside,outside) tcp interface 52311 2.2.2.2 52311 netmask 255.255.255.255
static (inside,outside) ALPHA-rous ALPHA-rous netmask 255.255.255.255
static (inside,outside) ALPHA-outside-197 ALPHA-asg netmask 255.255.255.255

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: