Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
1
Replies

Ezvpn Remote Split Tunneling

baxta2712
Level 1
Level 1

‎12-22-2010 12:59 AM

   Hi can anyone help me? I have 881 router as an Ezvpn Remote, on server side split tunneling is enabled and I what to filter traffic on Remote Router, I want my remote clients to access only internal resources but don't want to touch default route,  some kind of access-list would be perfect.

here is my remote config:

crypto ipsec client ezvpn TEST
connect auto
group xxxx key xxxx
mode client
peer 81.x.x.x
username xxxx password xxxx
xauth userid mode local

interface FastEthernet4
ip address x.x.x.x
duplex auto
speed auto
crypto ipsec client ezvpn TEST

interface Vlan1
description To Wanex$ETH-WAN$
ip address 192.168.0.10 255.255.255.0
ip accounting output-packets
ip flow ingress
ip flow egress
ip virtual-reassembly
crypto ipsec client ezvpn TEST inside

Digomi881#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8

Tunnel name : TEST
Inside interface list: Vlan1
Outside interface: FastEthernet4
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 172.20.0.40 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 10.1.28.10
Save Password: Allowed
Split Tunnel List: 1
       Address    : 10.1.200.2
       Mask       : 255.255.255.255
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 2
       Address    : 10.1.29.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 3
       Address    : 10.1.31.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 4
       Address    : 10.1.28.14
       Mask       : 255.255.255.255
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 81.x.x.x

Does anyone have idea how to solve this task?

thanks in advance

Labels:
0 Helpful
1 Reply 1

mulatif
Cisco Employee
Cisco Employee

‎12-24-2010 01:49 PM

Hi,

Two ways to do it

1. Use an ACL on 'interface VLAN1" on the Remote Router permitting what you want Users to access on the Corporate LAN.

    E.g. If the corporate LAN is 172.16.0.0/16 then something similar to below

                access-list 120 permit tcp any host 172.16.1.1

               

               access-list 120 deny ip any 172.16.0.0 0.0.255

               access-list 120 permit ip any any (To permit Internet Traffic)

2. The above needs to be done on each Remote Router, which could be a management issue if you have quite a few Remote Routers. You can also use an ACL on the Headend Router on the Inside LAN Interface and that could give you a centralized control.

Thanks,

Naman

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents