cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5430
Views
0
Helpful
5
Replies

Need help setting up split tunneling

jsandau
Level 1
Level 1

Here is the senerio. I have a Cisco 1811 router with VPN access. I am trying to set up the router so that I can access the network form outside. I can do that but once I connect to the VPN I loose all internet connectivity. I 've gather that I need to set up split tunneling to do this, but I am unsure how to set up split tunneling from CCP or CLI.

1 Accepted Solution

Accepted Solutions

Hi,

To configure split tunneling on a router.

access-list vpnacl permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

crypto isakmp client configuration group GROUPNAME

acl vpnacl

The above example, asigns ACL vpnacl to the crypto group (to enable split tunneling).

So, only traffic between the internal LAN 10.1.1.0/24 and the VPN pool 10.2.2.0/24 will be encrypted (sent through the tunnel).

If this router is also doing NAT, then you need to exempt from NAT this same traffic.


Federico.

View solution in original post

5 Replies 5

Hi,

To configure split tunneling on a router.

access-list vpnacl permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

crypto isakmp client configuration group GROUPNAME

acl vpnacl

The above example, asigns ACL vpnacl to the crypto group (to enable split tunneling).

So, only traffic between the internal LAN 10.1.1.0/24 and the VPN pool 10.2.2.0/24 will be encrypted (sent through the tunnel).

If this router is also doing NAT, then you need to exempt from NAT this same traffic.


Federico.

Ok, but what if the VPN and the internal netowrk have the same ip range? It was set up so that computers connecting into the VPN will get an ip in the range of 10.11.100.50-10.11.100.99 (subnetmask 255.255.255.0) and the computers connecting through LAN will get an ip in the range of 10.11.100.100-10.11.100.255 (subnet mask 255.255.255.0).

Same idea applies.

Split tunneling define the ACL in that way.

access-list NAME permit ip 10.11.100.0 mask 10.11.100.0 mask

Normally you want to have the VPN pool part of a different subnet from the internal LAN.

Federico.

Thanks. That was actually simpler than I had thought.

b.julin
Level 3
Level 3

Are these RA tunnels ror L2L?  Sounds like RA.

In the L2L case split tunneling should happen by virtue of the rules set up on the client and ASA.

In the RA case you have to tell the RA client not to use the connection as a default route

(for windows, that means going into the ipv4 properties and unchecking a box to that effect.)

What subnets will be routed depends on the classful mask of the assigned addresses.  In this

case, all of 10.x.x.x will be routed by the clients.  Some clients can download a route list but

not several of the important ones (Vista, Win7).  But for your purposes, routing all of 10.x.x.x

might be just fine.

See here for gory details:

http://www.abrij.org/~bri/hw/splitp.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: