Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1902
Views
0
Helpful
2
Replies

Split Tunnel with Site-to-Site IPSec VPN

Craddockc
Level 3
Level 3

‎10-19-2017 12:23 PM - edited ‎03-12-2019 04:38 AM

Community,

 

Im trying to implement a split tunnel situation where I only want traffic matching the ACL to be placed on the VPN (encryption domain) and any traffic not matching to be placed on the wire unencrypted. Now, Im a little confused as to how the ACL operates on a crypto map. Does the crypto map take into account the source address in the ACL and then mark the traffic as matching? Or does it take into account both the source and destination? for example, in the following set up:

 

interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
no ip route-cache cef
speed 100
full-duplex

crypto map My-Map

!

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key MY-KEY address 10.10.10.2
!
!
crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac
!
crypto map My-Map 1 ipsec-isakmp
description CLIENT1
set peer 10.10.10.2
set transform-set 3DESMD5
match address 100

 

access-list 100 permit ip host 172.16.1.1 host 192.168.1.1
access-list 100 permit ip host 192.168.1.1 host 172.16.1.1

 

In this set up I want only traffic from 172.16.1.1 destined for 192.168.1.1 to be placed on the tunnel where all other traffic from 172.16.1.1 to just be placed on the wire (simulating just going to the internet). What im noticing is that if the traffic doesnt match the source and destination it just gets dropped. I dont want the router to drop it, I just want it to forward it unecrypted. Is this possible?

 

Thanks.

Labels:
0 Helpful
2 Replies 2

Meheretab Mengistu
Level 7
Level 7

‎10-19-2017 03:30 PM

Hi,

I do not see any problem so far (even though you do not need "access-list 100 permit ip host 192.168.1.1 host 172.16.1.1"). Could you provide more information on the overall configuration? May be, the output of "sh run". We need to see how the rest of the traffic is supposed to route.

HTH,
Meheretab
HTH,
Meheretab
0 Helpful

Marius Gunnerud
VIP
VIP

‎10-20-2017 12:01 AM

Is the tunnel being established but traffic is not going over VPN?  I am thinking this is either an issue with the traffic being NATed and you don't have an identity NAT / no NAT statement or the remote side crypto map is not set up correctly.

 

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents