Cisco Community
English
Register
Join the Webex special event conversation for a chance to win NEW Webex swag!
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3046
Views
0
Helpful
1
Replies
Steven Tolzmann
Beginner
Beginner
‎07-26-2011 11:21 AM
‎07-26-2011 11:21 AM

Disabling Split Tunneling in L2L

Hello everyone,

Until now, my company has used Split Tunneling for all of our VPN uses, however we recently purchased 2 ASA5505s for use at various jobsites, and have been running into problems with Local Network Administrators blocking certain traffic that we need to operate. They allow full VPN connectivity to traverse their networks, so we are able to use our LAN Resources over the split tunnel no problem.

We have it set up as a Dynamic L2L Connection, and this ASA is operating flawlessly minus the traffic being blocked upstream by the network admin. Our VPN topolgy is Hub & Spoke. Below is excerpts from our config on how the VPN is set up:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.101.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

access-list to_hq extended permit ip 192.168.101.0 255.255.255.0 192.168.0.0 255.255.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address to_hq

crypto map outside_map 10 set peer *

crypto map outside_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group * type ipsec-l2l

tunnel-group * ipsec-attributes

pre-shared-key *

What we'd like to achieve is being able to pass ALL traffic (LAN & Internet) through the VPN tunnel, then be processed by the Hub ASA (192.168.9.1) on the other end. I am guessing crypto map + routing would have to be changed?

  • access-list to_hq extended permit ip 192.168.101.0 255.255.255.0 0.0.0.0 0.0.0.0
  • route inside 0.0.0.0 0.0.0.0 192.168.9.1
  • Disable NAT on Spoke

Is this how I would go about doing this??? We need ip address dhcp setroute so our ASA can find the other end and form the VPN tunnel, and I am not sure how this would affect things.

Here is NAT + Routing on the Hub ASA:

interface Vlan1

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address * 255.255.255.248

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 * 1

Your help is greatly appreciated!!

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Atul Singh
Beginner
Beginner
‎08-03-2011 03:46 PM
‎08-03-2011 03:46 PM

Hi Steven,

You don't need "route inside 0.0.0.0 0.0.0.0 192.168.9.1" to make it work. You can retain dhcp setroute. The routes of tunneled traffic are needed just to find the egress interface. Other assumptions are correct.

Apart from this, you need to PAT Remote n/w traffic on HUB ASA so that remote n/w can talk to internet.

nat (outside) 1 192.168.101.0 255.255.255.0

!

same-security-traffic permit intra-interface

!

-Atul

View solution in original post

0 Helpful
1 REPLY 1
Atul Singh
Beginner
Beginner
‎08-03-2011 03:46 PM
‎08-03-2011 03:46 PM

Hi Steven,

You don't need "route inside 0.0.0.0 0.0.0.0 192.168.9.1" to make it work. You can retain dhcp setroute. The routes of tunneled traffic are needed just to find the egress interface. Other assumptions are correct.

Apart from this, you need to PAT Remote n/w traffic on HUB ASA so that remote n/w can talk to internet.

nat (outside) 1 192.168.101.0 255.255.255.0

!

same-security-traffic permit intra-interface

!

-Atul

View solution in original post

0 Helpful
Latest Contents
Cisco Network Security Ask the Experts Resources
Created by vivichia on 06-10-2021 05:21 PM
0
0
0
0
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference. New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q... view more
MGRE Easy Steps
Created by dhr.tech1 on 06-09-2021 04:09 PM
0
0
0
0
                                    Setup MGRE     &nbs... view more
Secure Endpoint Frequently Asked Questions
Created by E.L. Howard on 06-09-2021 10:39 AM
0
5
0
5
Upcoming sessions Cisco Secure Endpoint New packages fit for every organization Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions ... view more
#CiscoChat Live - Redefining NetWORK Security
Created by greghami on 06-09-2021 09:48 AM
0
0
0
0
Our Cisco experts and guests chat about how the integration of Cisco Secure Firewall + Secure Workload is securely accelerating application delivery by allowing NetOps to start running at DevOps speed, and what that means for business success. https://com... view more
#CiscoChat Live - Redefining NetWORK Security on Wednesday J...
Created by greghami on 06-09-2021 09:44 AM
1
10
1
10
Our Cisco experts and guests chat about how the integration of Cisco Secure Firewall + Secure Workload is securely accelerating application delivery by allowing NetOps to start running at DevOps speed, and what that means for business success.
Content for Community-Ad