Split Traffic on Cisco ASA using ASDM

Posted on 2012-03-15
Last Modified: 2012-06-27
I need to split the traffic at a remote wan site. I'd like all the port 80 and 443 traffic to go out to the Internet and all other traffic to flow between the site and HQ using our VPN tunnel. I am a complete newbie when it comes to Cisco...any help greatly appreciated.
Question by:abaskett
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 18

Expert Comment

by:Garry Glendown
ID: 37730927
Please define "all other traffic" - most often, VPNs are using Split Tunneling, only using the VPN for the actually LAN networks, but routing Internet directly ...
At what point are you currently? Do you already have the Site2Site VPN set up to router 0/0 through the VPN to the HQ?
Please note that ASA does not support "real" PBR (policy-based routing), so you need to take some detours to get some similar behavior ...

Author Comment

ID: 37731237
The wan site has a domain controller and file server. I would like all the AD and internal DNS lookups to go through the VPN and web traffic to go directly out to the internet. Hope that makes sense...
The site2site VPN is in-place coming back to our HQ.
LVL 18

Accepted Solution

Garry Glendown earned 500 total points
ID: 37732000
From that description, I'm assuming the only stuff you actually want/need through the tunnel is anything that is on the internal LANs of the locations ... so any Internet-directed traffic (which may be more than just WWW, like FTP, external Mail servers, remote-access VPNs, Internet Radio, ...) should still go directly from each site to the Internet.
This is rather easy, as any split-tunneling VPN connection will do this automatically for you ...
The VPN Wizard on ASDM is rather simple to use, and will usually yield a very well working VPN connection when you're through, provided you enter the right values ...
Just a quick run-down of the entries (assuming a current version, like ASDM 6.2) ... just open ASDM twice if possible and connect to both sites, configuring the config side-by-side ... this will go pretty quickly, and you should not miss anything ...

Start the IPSEC Wizard, then "Site-2-Site" Tunnel Type. Chose the correct outside interface from the drop-down, leave the checkmark in the "bypass" field.
Next page, enter the remote site's IP address, and enter a nice cryptic Pre-Shared key (create in one form, then copy to the other, that should keep away some headache from mis-typed PW). Don't change the tunnel name ...
Next up IKE encryption, go with AES instead of the default 3DES. Best choice is AES-256; DH should be 5 with those long encryptions. Use the same for the next step, IPSEC encryption.
The next step is the relevant for what you want to achieve - here's where you decide whether everything goes into the VPN tunnel, including Internet traffic, or whether you want split tunneling, which only diverts internal traffic into the tunnel, but keeps the Internet to the local uplink instead. For each side, chose the correct internal networks, then also the remote networks. Make sure they match up, otherwise the ASA will run into problems. Make sure the interface for internal access on the bottom of the form is correct.
With that, you're done - let ASDM create the commands and roll them out to the ASA and you should be set - try to ping an internal IP of the remote site from the inside of the other, this should work with only one or two packets lost at most. On the start page of ASDM, you should see one active IPSEC connection, and in "Details" and Site-2-Site you should also see the connection you just set up, with the byte counter increasing ...

Author Closing Comment

ID: 37738200
Thank you!

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question