cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3547
Views
0
Helpful
1
Replies

Disabling Split Tunneling in L2L

Steven Tolzmann
Level 1
Level 1

Hello everyone,

Until now, my company has used Split Tunneling for all of our VPN uses, however we recently purchased 2 ASA5505s for use at various jobsites, and have been running into problems with Local Network Administrators blocking certain traffic that we need to operate. They allow full VPN connectivity to traverse their networks, so we are able to use our LAN Resources over the split tunnel no problem.

We have it set up as a Dynamic L2L Connection, and this ASA is operating flawlessly minus the traffic being blocked upstream by the network admin. Our VPN topolgy is Hub & Spoke. Below is excerpts from our config on how the VPN is set up:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.101.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

access-list to_hq extended permit ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address to_hq

crypto map outside_map 10 set peer *

crypto map outside_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group * type ipsec-l2l

tunnel-group * ipsec-attributes

pre-shared-key *

What we'd like to achieve is being able to pass ALL traffic (LAN & Internet) through the VPN tunnel, then be processed by the Hub ASA (192.168.9.1) on the other end. I am guessing crypto map + routing would have to be changed?

  • access-list to_hq extended permit ip 192.168.101.0 255.255.255.0 0.0.0.0 0.0.0.0
  • route inside 0.0.0.0 0.0.0.0 192.168.9.1
  • Disable NAT on Spoke

Is this how I would go about doing this??? We need ip address dhcp setroute so our ASA can find the other end and form the VPN tunnel, and I am not sure how this would affect things.

Here is NAT + Routing on the Hub ASA:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address * 255.255.255.248

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 * 1

Your help is greatly appreciated!!

1 Accepted Solution

Accepted Solutions

Atul Singh
Level 1
Level 1

Hi Steven,

You don't need "route inside 0.0.0.0 0.0.0.0 192.168.9.1" to make it work. You can retain dhcp setroute. The routes of tunneled traffic are needed just to find the egress interface. Other assumptions are correct.

Apart from this, you need to PAT Remote n/w traffic on HUB ASA so that remote n/w can talk to internet.

nat (outside) 1 192.168.101.0 255.255.255.0

!

same-security-traffic permit intra-interface

!

-Atul

View solution in original post

1 Reply 1

Atul Singh
Level 1
Level 1

Hi Steven,

You don't need "route inside 0.0.0.0 0.0.0.0 192.168.9.1" to make it work. You can retain dhcp setroute. The routes of tunneled traffic are needed just to find the egress interface. Other assumptions are correct.

Apart from this, you need to PAT Remote n/w traffic on HUB ASA so that remote n/w can talk to internet.

nat (outside) 1 192.168.101.0 255.255.255.0

!

same-security-traffic permit intra-interface

!

-Atul