cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
766
Views
0
Helpful
1
Replies
Highlighted
Beginner

Ezvpn Remote Split Tunneling

   Hi can anyone help me? I have 881 router as an Ezvpn Remote, on server side split tunneling is enabled and I what to filter traffic on Remote Router, I want my remote clients to access only internal resources but don't want to touch default route,  some kind of access-list would be perfect.

here is my remote config:

crypto ipsec client ezvpn TEST
connect auto
group xxxx key xxxx
mode client
peer 81.x.x.x
username xxxx password xxxx
xauth userid mode local

interface FastEthernet4
ip address x.x.x.x
duplex auto
speed auto
crypto ipsec client ezvpn TEST

interface Vlan1
description To Wanex$ETH-WAN$
ip address 192.168.0.10 255.255.255.0
ip accounting output-packets
ip flow ingress
ip flow egress
ip virtual-reassembly
crypto ipsec client ezvpn TEST inside

Digomi881#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: Vlan1
Outside interface: FastEthernet4
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 172.20.0.40 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 10.1.28.10
Save Password: Allowed
Split Tunnel List: 1
       Address    : 10.1.200.2
       Mask       : 255.255.255.255
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 2
       Address    : 10.1.29.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 3
       Address    : 10.1.31.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 4
       Address    : 10.1.28.14
       Mask       : 255.255.255.255
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 81.x.x.x

Does anyone have idea how to solve this task?

thanks in advance

1 REPLY 1
Highlighted
Cisco Employee

Hi,

Two ways to do it

1. Use an ACL on 'interface VLAN1" on the Remote Router permitting what you want Users to access on the Corporate LAN.

    E.g. If the corporate LAN is 172.16.0.0/16 then something similar to below

                access-list 120 permit tcp any host 172.16.1.1

               

               access-list 120 deny ip any 172.16.0.0 0.0.255

               access-list 120 permit ip any any (To permit Internet Traffic)

2. The above needs to be done on each Remote Router, which could be a management issue if you have quite a few Remote Routers. You can also use an ACL on the Headend Router on the Inside LAN Interface and that could give you a centralized control.

Thanks,

Naman