05-29-2012 08:43 AM
Excluded Network List does not seem to be valid for hardware clients.
I need to do a site to site vpn with one side being dynamic ip'd and tunnel everything except a single destination. I am not able to find any information on this ... I can setup easy vpn and get it tunneling everything but I need to excluded a certain destination
Solved! Go to Solution.
05-29-2012 09:56 AM
In the no-nat acl and split-tunnel acl, you can add at very first lines to deny excluded the subnets or ip-hosts that you do not want to go via the tunnel and permit all ip ranges from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Have you tried this, method?
Thanks
Rizwan Rafeek
05-29-2012 11:33 AM
Since you want to push everything into the tunnel, except seleted segment exclused from the tunnel, you do not need split-tunnel to begin with. Therefore you can include the denies lines for excluded subnets or hosts in the no-nat ACL alone.
What is included in the no-nat ACL the permits will be injected for remote-hardware-client's tunnel and likewise the denies in the ACL (i.e. no-nat) will be excluded from going into the tunnel from remote-hardware-client into the tunnel itself.
I hope that make sense.
Look forward to hear from you.
Thanks
Rizwan Rafeek.
05-29-2012 09:02 AM
HI Micheal,
You include the networks in the no-nat and split-tunnel ACL, so that your client tunnel will includes only networks you
included in the no-nat ACL and split-tunnel ACL.
access−list no−nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access−list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0
group−policy myGROUP internal
group−policy myGROUP attributes
split−tunnel−policy tunnelspecified
split−tunnel−network−list value ezvpn1
MyASA#show crypto ipsec sa
interface: outside
Crypto map tag: myDYN−MAP, seq num: 5, local addr: 10.20.20.1
local ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 10.10.10.1, username: cisco
dynamic allocated peer ip: 0.0.0.0
Hop this helps.
thanks
Rizwan Rafeek
05-29-2012 09:05 AM
I need to tunnel everything except a specified destination.. maybe a route-map?? excluded-list does not work for a hardware client using easyvpn
Remote site, need to tunnel all internet traffic through VPN to HQ and route through web filter. However we have voip phones there that go elsewhere... ASA 5505 hardware client easy vpn back to HQ 5505
How would you design this ?
Example:
Remote Site 1 ->> internet --> HQ 5505 - all internet traffic needs to come here..
Remote Site 1 ->> internet ->> voip provider -- all sip traffic needs to go here.
There should be no local lan access.
05-29-2012 09:56 AM
In the no-nat acl and split-tunnel acl, you can add at very first lines to deny excluded the subnets or ip-hosts that you do not want to go via the tunnel and permit all ip ranges from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Have you tried this, method?
Thanks
Rizwan Rafeek
05-29-2012 10:54 AM
rizwanr74
Yes I have, split tunnel acl's do not accept deny they are based on the source IP only. With ezvpn the configuration is pushed to the client device, however hardware clients do not allow local lan access to be enabled and therefore not using the excluded list.
05-29-2012 11:33 AM
Since you want to push everything into the tunnel, except seleted segment exclused from the tunnel, you do not need split-tunnel to begin with. Therefore you can include the denies lines for excluded subnets or hosts in the no-nat ACL alone.
What is included in the no-nat ACL the permits will be injected for remote-hardware-client's tunnel and likewise the denies in the ACL (i.e. no-nat) will be excluded from going into the tunnel from remote-hardware-client into the tunnel itself.
I hope that make sense.
Look forward to hear from you.
Thanks
Rizwan Rafeek.
05-29-2012 11:35 AM
It does... I'll give it a shot..
access-list inside_nat0_outbound extended deny ip any host
nope, no go.
05-29-2012 12:57 PM
Have you tried on the hardware client a static-route to push certian traffic to specific ip address, instead to EasyVPN Server's address?
05-29-2012 01:59 PM
deny in the no nat worked
06-04-2012 02:35 PM
Ok, so that didnt work actually.
the no nat does not work and the site is a dynamic ip which doesnt allow me to configure a static route to the outside interface due to setroute? After doing some research I dont see easyvpn allowing the nonat to be pushed to the hardware client and strictly relies on the split tunnel acl
any further assistance would be much appreciated
06-13-2012 07:05 AM
This was solved by not using easy vpn. but instead using a dynamic vpn configuration
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide