Solved

CISCO ASA 5510 Lan to Lan split tunnel

Posted on 2011-02-28
8
845 Views
Last Modified: 2012-05-11
Howdy Folks,

I'm stuck with an irritating problem, far away from home and help.

I want the remote computers at the far end of an IPSEC LAN to LAN tunnel to be able to get directly to the internet, bypassing the tunnel.

I have my config for the remote end below, at the moment everything is working but the internet access. We have a proxy issue that needs more firewall holes created for a permanent solution, but if I can't get this sorted before the users get back then they will revolt.

Any questions or suggestions I will be monitoring the thread and will answer as soon as possible.

Cheers

Ash asa-as-at-monday-night---ready-f.txt
0
Comment
Question by:InfrastructureBAI
  • 4
  • 4
8 Comments
 

Author Comment

by:InfrastructureBAI
ID: 34996056
some more details, I am suffering from severe lack of sleep and pizza.

The local pcs are all on CCC.CCC.202.0 255.255.255.0
the asa has an inside address of CCC.CCC.202.1 and an outside of AAA.AAA.221.133
and the other main address range is the end at the head office: BBB.BBB.31.234

We had planned for the internet traffic to hit the proxy server at CCC.CCC.202.200, then to go through the tunnel and head to our regular internet gateway address, but this doesn't want to work. For interests sake the regular internet gateway address is CCC.CCC.122.254.

I have the head office address range being CCC.CCC.0.0/16 and the remote end is CCC.CCC.202.0/24

I am open to any suggestions and will try just about anything, but my proxy guy is asleep, and our gateway company has stopped working on the problem for the night so I can only really change things on the asa's at either end (I can citrix back to our head office and change the ASA there if need be.

Both ASA's are 5510's.

Cheers

Ash
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 34996302
Hello,

To be able have access to internet from that ASA, you need global NAT command:
global (outside) 1  AAA.AAA.221.133

This way, you will be able to go  directly  to internet from remote site.
Current configuration doesn't allow internet access even in case you don't have tunnel.

Regards!
0
 

Author Comment

by:InfrastructureBAI
ID: 34996375
Howdy,

Thanks for your response,

I have tried to add that and get " AAA.AAA.221.133-AAA.AAA.221.133 overlaps with outside interface address.

I have tried changing the address to the default gateway, without success. Any thing else you can see im missing?

Cheers  Ash
0
 

Author Comment

by:InfrastructureBAI
ID: 34996415
howdy again, I just had a thought and took down my tunnel, but it still won't allow direct access to the net.

I think I'm missing something to tell it to avoid trying the tunnel all together, but I can't work out what.

Cheers

Ash
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 12

Expert Comment

by:Fidelius
ID: 34996434
Also, I forgot to mention, you will have to change crypto access list to:
access-list 100 extended permit ip SITENAME 255.255.255.0 CCC.CCC.0.0 255.255.0.0

You will also need to modify routing for networks on head site.


For proxy scenario you originally planned, you will have to change crypto access list to:
access-list 100 extended permit ip host CCC.CCC.202.200 any
access-list 100 extended permit ip SITENAME 255.255.255.0 CCC.CCC.0.0 255.255.0.0

and also need to configure default route to internet gateway address:
route outside 0.0.0.0 0.0.0.0 CCC.CCC.122.254 1

Regards!
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 34996442
Try this for global:

global (outside) 1 interface


Regards!
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 34996448
After you do all the changes, please send configuration so I can double check.

Thanks!
0
 

Author Closing Comment

by:InfrastructureBAI
ID: 35004539
worked when global (outside) 1 interface was added to config.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco iWAN 8 46
SQL Server issue connecting to named instance 6 42
Gateway Resilience 4 21
Access List 4 14
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now