Solved: Re: IOS VPN Local LAN access

shh5455 · ‎11-30-2010

It's been 7 years, is this functionality available in IOS yet?

https://supportforums.cisco.com/message/263861

Basically I'm connecting Cisco VPN client to an IOS VPN. I want to tunnel everything except for a few local subnets. Kind of like split tunneling except internet traffic goes across the VPN.

Thanks

Atri Basu · ‎11-30-2010

Hey Steven,

As I said deny statements don't work with split-acls, however what you can do is reconstruct the split-acl. Remove the denies and the "permit ip any any" instead you'll have to permit the whole internet... to clarify, in your case it looks like you don't want to tunnel any traffic to the following subnets:

10.32.0.0/16
10.34.0.0/16
10.42.0.0/16
10.252.0.0/16

so in your case the split-acl will have to include all other possible subnets. While this will make the acl really long, this is the only way to go about doing this. The acl can be shortened by using proper summarizations. e.g

128.0.0.0 wildcard 127.255.255.255

Regards,

Atri.

View solution in original post

Atri Basu · ‎11-30-2010

From what I understand you want to tunnel all traffic sourced from subnets a-b but you do not want any traffic sourced from subnets x-y to be tunneled. If this is correct then this is exactly what split tunneling does. As long as the traffic is matched by the access-list used in the split tunnel config it will be tunneled, otherwise it will not. You can find more information regarding configuring split tunneling at the following site:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml#enablesplits

manish arora · ‎11-30-2010

Yes, you can use Split tunneling for that.

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Manish

shh5455 · ‎11-30-2010

Thanks for the reply, but split tunneling specifies which routes are sent across the VPN. I basically want to do full tunneling but be able to specify which routes should not be secured and sent over the VPN. I want 0.0.0.0/0 to go across the VPN.

Steven

manish arora · ‎11-30-2010

Ok you will still use Split tunneling but have your ACL according to what you want to go to internet or tunnel

so for ex :-

access-list 99 deny host 4.2.2.2

access-list 99 deny host 86.75.36.x

access-list 99 permit any

This acl 99 ( split tunnel acl ) will send 4.2.2.2 & 86.75.36.x to internet and rest will be tunneled.

also , you can use extended ACL to qualify traffic according to tcp/udp ports.

Manish

shh5455 · ‎11-30-2010

I have tried that but it doesn't seem to work. I changed it to a standard ACL to see if that would make a difference, but it didn't. I used:

Standard IP access list 99

10 deny 10.32.0.0, wildcard bits 0.0.255.255

20 deny 10.34.0.0, wildcard bits 0.0.255.255

30 deny 10.42.0.0, wildcard bits 0.0.255.255

40 deny 10.252.0.0, wildcard bits 0.0.255.255

50 permit any

When I look at the route details on the VPN client it shows nothing under Local LAN Routes and only 0.0.0.0 under Secured Routes.

manish arora · ‎11-30-2010

Standard IP access list 99

10 deny 10.32.0.0, wildcard bits 0.0.255.255

20 deny 10.34.0.0, wildcard bits 0.0.255.255

30 deny 10.42.0.0, wildcard bits 0.0.255.255

40 deny 10.252.0.0, wildcard bits 0.0.255.255

50 permit any

Ok the above ACL means that you do not want traffic with destination IP add 10.32/34/42/252.0.0/16 to go to the tunnel but rest of the traffic that includes internet or any other subnet to go to the Tunnel.

Manish

shh5455 · ‎11-30-2010

Yes! But it doesn't work as described above.

Atri Basu · ‎11-30-2010

Hey Steven,

Split tunneling actually allows you to specify which packets to secure. Which means that any packet matching the ACL will be secured. In your case lets assume you want the 172.16.0.0/16 subnet to be encrypted while traffic from the 192.168.1.0/24 subnet to be not encrypted then your acl would look like this:

access-list 108 permit ip 172.16.0.0 0.0.255.255 0.0.0.0 0.0.0.0

Regards,
Atri.

shh5455 · ‎11-30-2010

This is normal split tunneling where internet traffic is routed locally. I want it routed across the VPN.

Atri Basu · ‎11-30-2010

Ahh... I understand your requirement better now and I see where your problem is. I don't think this is possible. Deny statements don't work with split-tunneling. Let me look around and see if there are any workarounds for this.

Atri Basu · ‎11-30-2010

Hey Steven,

As I said deny statements don't work with split-acls, however what you can do is reconstruct the split-acl. Remove the denies and the "permit ip any any" instead you'll have to permit the whole internet... to clarify, in your case it looks like you don't want to tunnel any traffic to the following subnets:

10.32.0.0/16
10.34.0.0/16
10.42.0.0/16
10.252.0.0/16

so in your case the split-acl will have to include all other possible subnets. While this will make the acl really long, this is the only way to go about doing this. The acl can be shortened by using proper summarizations. e.g

128.0.0.0 wildcard 127.255.255.255

Regards,

Atri.

shh5455 · ‎11-30-2010

Ok, that's what I was afraid of. Was just hoping there was an "easy" way.

Thanks!

manish arora · ‎11-30-2010

Thank you Atri , useful information that I wasn't aware of.

Manish

Atri Basu · ‎11-30-2010

Hey Steven,

The problem here is IOS devices weren't designed to be VPN headends hence they aren't as easily configured as say an ASA or a VPN 3k. This could be done really easily on those devices using specific commands.

If the previous response answered all your questions could you please mark this question as answered as it will make it easier for others to find the response.

Regards,

Atri.