How to disable Split Tunnel for Site to Site VPN ?

Hello,
I have succesfully set up the VPN between the main office and the remote site. But with the configuration i have i am using split tunnel. How can i disable split tunnel so ALL the traffic (including web) generated from the remtoe site can come straight into the main office and from the main office i can control what access i want to give them. ?

REMOTE SITE

crypto map clientmap 60 ipsec-isakmp
 set peer 62.A.B.178
 set transform-set REED_GREENLINE
 match address INTRESTING_TRAFFIC_BMGREENLINE
ip nat inside source list DEFAULT_ALLOW_ALL interface Dialer1 overload
!
ip access-list extended DEFAULT_ALLOW_ALL
 deny   ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 any
 deny   ip any any
ip access-list extended INTRESTING_TRAFFIC_BMGREENLINE
 permit ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255

-----------------------------------------------------------------------------------------------------
Main SIte

crypto map clientmap 10 ipsec-isakmp
 set peer 80.A.B.200
 set transform-set REED_GREENLINE
 match address INTRESTING_TRAFFIC_BMGREENLINE

ip nat inside source route-map LEASEDLINE interface FastEthernet0/1 overload
ip access-list extended DEFAULT_ALLOW_ALL
 deny   ip 10.0.0.0 0.0.0.255 192.168.50.0 0.0.0.255
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 172.16.0.0 0.15.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended INTRESTING_TRAFFIC_BMGREENLINE
 permit ip 10.0.0.0 0.0.0.255 192.168.50.0 0.0.0.255

route-map LEASEDLINE permit 10
 match ip address DEFAULT_ALLOW_ALL
 match interface FastEthernet0/1
WannabeNerdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Split-Tunneling has to be enabled explicitely. Look for split-tunnel config keywords in your running config, and remove them.
0
WannabeNerdAuthor Commented:
Sorry but i am unable to understand what you mean.
0
WannabeNerdAuthor Commented:
I didnt mention the main office device is not ASA but a 2801 router and the remote device is 871
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I'm no Cisco'si (at all), but looking at your configs I suppose you should just change the "interesting traffic" definitions to the all address (0.0.0.0 255.255.255.255). Remote site would then look like this (you will have to do changes on both sides):

crypto map clientmap 60 ipsec-isakmp
 set peer 62.A.B.178
 set transform-set REED_GREENLINE
 match address INTRESTING_TRAFFIC_BMGREENLINE
ip nat inside source list DEFAULT_ALLOW_ALL interface Dialer1 overload
!
ip access-list extended DEFAULT_ALLOW_ALL
 deny   ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 any
 deny   ip any any
ip access-list extended INTRESTING_TRAFFIC_BMGREENLINE
 permit ip 192.168.50.0 0.0.0.255 0.0.0.0 255.255.255.255

Open in new window

0
WannabeNerdAuthor Commented:
Well i had tried what you mentioned before as well but it completely rips off the tunnel.
0
akalbfellCommented:
can you post the entire config? scrub out passwords and public IP's and stuff...ill tell you exactly what commands to enter
0
WannabeNerdAuthor Commented:
MAIN SITE

Current configuration : 13851 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bm
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging userinfo
logging buffered 51200 warnings
no logging monitor
!
aaa new-model
!
!
aaa authentication login RADIUSAUTHENTICATION group radius local
aaa authentication login USERAUTHENTICATION local
aaa authorization console
aaa authorization exec EXECMODE local
aaa authorization network NETWORKAUTHORIZATION local
aaa authorization network RADIUSAUTHORIZATION local
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint tti
 revocation-check crl
 rsakeypair tti
!
crypto pki trustpoint LOCAL
 enrollment selfsigned
 serial-number
 ip-address 10.0.0.252
 revocation-check crl
!
!
crypto pki certificate chain tti
crypto pki certificate chain LOCAL
 certificate self-signed 49
  3082028B 308201F4 A0030201 02020149 300D0609 2A864886 F70D0101 04050030
  51314F30 12060355 0405130B 46435A31 32333131 30383430 1706092A 864886F7
  0D010908 130A3130 2E302E30 2E323531 30200609 2A864886 F70D0109 02161342
  454C544F 4E4D4153 5345592E 424D2E63 6F6D301E 170D3039 30343039 31363231
  31385A17 0D323030 31303130 30303030 305A3051 314F3012 06035504 05130B46
  435A3132 33313130 38343017 06092A86 4886F70D 01090813 0A31302E 302E302E
  32353130 2006092A 864886F7 0D010902 16134245 4C544F4E 4D415353 45592E42
  4D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100DA4F A6BD12EB D61D6F4D 21C473E6 8156985C 15EC95A4 63EBC921 EEE21120
  F8E6C9E5 C759F705 B7467AA4 DFF2BAB2 BE85116B 3080476D 866EA65C 95F6CC90
  7D4257CE D2B08E9F 1E855090 6063F5B2 EB785E9A 69FC60A4 6F9C3FC7 E979E64A
  39CBEFAF 299B4C22 125A76CF 4D6040CB 433FE7C3 E0C88ABB C6C96BC1 54946D1E
  A9750203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  551D1104 17301582 1342454C 544F4E4D 41535345 592E424D 2E636F6D 301F0603
  551D2304 18301680 14C654A2 DA63BD3E 0A31E975 39F5FCE8 0411BB1B C3301D06
  03551D0E 04160414 C654A2DA 63BD3E0A 31E97539 F5FCE804 11BB1BC3 300D0609
  2A864886 F70D0101 04050003 818100BA 3D6158E7 C9F9FCCE 6F793E37 F67ADF82
  B621B199 F1B68A8A 71A2B2E9 814FDC4F 1B533C11 61587FC0 57BB12B8 06C31581
  5493A37A C1B447E6 E65BC64A 798C25CA 151A7C04 5D2F7F67 EB8903C5 0FCAEE33
  1DF7D3EC 137DAD25 7DA67BCF 071CCF61 9B1B4D5C 50E7F640 4F64F659 C7282B88
  D7F37819 83950403 38804485 5B4741
        quit
dot11 syslog
ip source-route
ip cef
no ip bootp server
no ip domain lookup
ip domain name BM.com
ip name-server 4.2.2.2
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp timeout 200
ip inspect name FIREWALL_RULES ftp
no ipv6 cef
!

!
username test privilege 0 secret 5 $1$TIKO$lIbIDhwVbTlMsQLQJsoUX.

crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 500
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key @1 address 80.A.B.C no-xauth
!
crypto isakmp client configuration group OFFICE
 key OOP
 dns 10.0.0.4
 domain BM.com
 pool ippool
 acl VPN_TRAFFIC_SPLIT_TUNNEL
 
!
!
crypto ipsec transform-set REED_SET esp-aes esp-sha-hmac
crypto ipsec transform-set REED_GREENLINE esp-3des esp-sha-hmac
!
crypto dynamic-map REED_MAP 5
 set transform-set REED_SET
 reverse-route
!
!
crypto map clientmap client authentication list RADIUSAUTHENTICATION
crypto map clientmap isakmp authorization list RADIUSAUTHORIZATION
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp
 set peer 80.A.B.C
 set transform-set REED_GREENLINE
 match address INTRESTING_TRAFFIC_BMGREENLINE
crypto map clientmap 50 ipsec-isakmp dynamic REED_MAP
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
ip rcmd rcp-enable
!
!
!
!
interface Loopback0
 ip address 10.11.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 shutdown
!
interface FastEthernet0/0
 description INTERNAL LAN INTERFACE$FW_INSIDE$
 ip address 10.0.0.252 255.255.254.0
 ip access-group DMZ_TO_LAN out
 no ip redirects
 no ip unreachables
 ip nat inside
 ip inspect FIREWALL_RULES in
 ip virtual-reassembly
 ip policy route-map ADSL
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description OUTSIDE BT 10 MEG INTERFACE$FW_OUTSIDE$
 ip address 60.A.B.178 255.255.255.240
 ip access-group OUTSIDE_IN_BT in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface FastEthernet0/1/0
 description ADSL INTERFACE
 ip address 192.168.5.2 255.255.255.0
 ip access-group OUTSIDE_IN_ADSL in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/3/0
 description DMZ INTERFACE$FW_DMZ$
 ip address 172.31.0.1 255.255.255.0
 ip access-group LAN_TO_DMZ out
 no ip redirects
 no ip unreachables
 ip nat inside
 ip inspect FIREWALL_RULES in
 ip virtual-reassembly
 ip policy route-map ADSL
 duplex auto
 speed auto
!
ip local pool ippool 192.168.1.1 192.168.1.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 60.A.B.177
ip route 10.1.0.0 255.255.255.0 10.0.0.251
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map ADSL interface FastEthernet0/1/0 overload
ip nat inside source route-map LEASEDLINE interface FastEthernet0/1 overload
ip nat inside source static 10.0.0.6 60.A.B.179 route-map STATIC_NO_NAT
ip nat inside source static 172.31.0.100 60.A.B.180
ip access-list extended DEFAULT_ALLOW_ALL
 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 192.168.50.0 0.0.0.255
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 172.16.0.0 0.15.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended DMZ_TO_LAN
 permit ip host 172.31.0.100 host 10.0.0.161
 permit icmp any any
 permit ip any any
 permit tcp any host 10.0.0.6 eq 443
 permit ip host 172.31.0.100 host 10.0.0.6
 permit ip host 172.31.0.100 host 10.0.0.4
 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
 deny   ip any any
ip access-list extended INTERNET_TRAFFIC_FROM_ISASERVER
 permit ip host 172.31.0.200 any
ip access-list extended INTERNET_TRAFFIC_FROM_LAN
 deny   ip host 10.0.0.6 any
 permit tcp 10.0.0.0 0.0.0.255 host 192.168.5.1 eq 8081
 permit udp 10.0.0.0 0.0.0.255 any eq domain
ip access-list extended INTRESTING_TRAFFIC_BMGREENLINE
 permit ip 10.0.0.0 0.0.0.255 192.168.50.0 0.0.0.255
ip access-list extended LAN_TO_DMZ
 permit ip host 10.0.0.161 host 172.31.0.100
 permit ip host 10.0.0.131 host 172.31.0.100
 permit ip host 10.0.0.4 host 172.31.0.100
 permit ip host 10.0.0.6 host 172.31.0.100
 deny   ip any any
ip access-list extended OUTSIDE_IN_ADSL
 deny   ip any any
ip access-list extended OUTSIDE_IN_BT
 permit ip host 80.A.B.C host 60.A.B.178
 permit tcp any host 60.A.B.179 eq 443
 permit tcp any host 60.A.B.180 eq smtp
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit tcp any host 60.A.B.178 eq telnet
 deny   ip any any
ip access-list extended STATIC_NO_NAT
 deny   ip any 192.168.1.0 0.0.0.255
 deny   ip any 192.168.50.0 0.0.0.255
 permit ip any any
ip access-list extended VPN_TRAFFIC
 permit ip 192.168.50.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN_TRAFFIC_SPLIT_TUNNEL
 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip radius source-interface FastEthernet0/0
no cdp run

Route-map LEASEDLINE permit 10
 match ip address DEFAULT_ALLOW_ALL
 match interface FastEthernet0/1
!
route-map ADSL permit 10
 match ip address INTERNET_TRAFFIC_FROM_LAN INTERNET_TRAFFIC_FROM_ISASERVER
 match interface FastEthernet0/1/0
 set ip default next-hop 192.168.5.1
!
route-map STATIC_NO_NAT permit 10
 match ip address STATIC_NO_NAT
!
route-map VPN-Client permit 10
 match ip address VPN_TRAFFIC
 set ip next-hop 10.11.0.2
!
!
radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key cisco123
!
!
line con 0
 exec-timeout 0 0
 authorization exec EXECMODE
 logging synchronous
 login authentication USERAUTHENTICATION
line aux 0
line vty 0 4
 exec-timeout 0 0
 authorization exec EXECMODE
 logging synchronous
 login authentication USERAUTHENTICATION
 transport input telnet ssh
line vty 5 15
 authorization exec EXECMODE
 login authentication USERAUTHENTICATION
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
end
 
REMOTE SITE


rypto isakmp policy 500
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key @wnt1pu3 address 60.A.B.178 no-xauth
!
!
crypto ipsec transform-set REED_GREENLINE esp-3des esp-sha-hmac
!
crypto map clientmap 60 ipsec-isakmp
 set peer 62.A.B.178
 set transform-set REED_GREENLINE
 match address INTRESTING_TRAFFIC_BMGREENLINE
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
!
!
interface ATM0
 no ip address
 ip virtual-reassembly
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname ABC@XYZ.net
 ppp chap password 7 1234556D
 crypto map clientmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list DEFAULT_ALLOW_ALL interface Dialer1 overload
!
ip access-list extended DEFAULT_ALLOW_ALL
 deny   ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 any
 deny   ip any any
ip access-list extended INTRESTING_TRAFFIC_BMGREENLINE
 permit ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
!
dialer-list 1 protocol ip permit
no cdp run
0
akalbfellCommented:
try this

ip access-list extended VPN_TRAFFIC_SPLIT_TUNNEL
     no permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.25  
     permit ip any any
0
WannabeNerdAuthor Commented:
no this can not be right, this ACL is not used anywhere by the site to site vpn. its used by the client vpns.
0
WannabeNerdAuthor Commented:
Help needed.. Anyone please !!
0
cat6509Commented:

the below


ip nat inside source route-map ADSL interface FastEthernet0/1/0 overload
ip nat inside source route-map LEASEDLINE interface FastEthernet0/1 overload

Route-map LEASEDLINE permit 10
 match ip address DEFAULT_ALLOW_ALL
 match interface FastEthernet0/1
!
route-map ADSL permit 10
 match ip address INTERNET_TRAFFIC_FROM_LAN INTERNET_TRAFFIC_FROM_ISASERVER
 match interface FastEthernet0/1/0
 set ip default next-hop 192.168.5.1


is what is allowing your traffic out to the internet without a proxy. Adjust your route-maps to not NAT for host addresses/subnets that should not go out to the Internet without a proxy.
0
WannabeNerdAuthor Commented:
I have found the solution.
Disable nat on the remote site totally. Set  up a route map and a loop back interface on the main site router and match the route map with the acl
deny ip 192.168.50.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 any.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.