Solved

Split Traffic on Cisco ASA using ASDM

Posted on 2012-03-15
4
775 Views
Last Modified: 2012-06-27
I need to split the traffic at a remote wan site. I'd like all the port 80 and 443 traffic to go out to the Internet and all other traffic to flow between the site and HQ using our VPN tunnel. I am a complete newbie when it comes to Cisco...any help greatly appreciated.
0
Comment
Question by:abaskett
  • 2
  • 2
4 Comments
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
Please define "all other traffic" - most often, VPNs are using Split Tunneling, only using the VPN for the actually LAN networks, but routing Internet directly ...
At what point are you currently? Do you already have the Site2Site VPN set up to router 0/0 through the VPN to the HQ?
Please note that ASA does not support "real" PBR (policy-based routing), so you need to take some detours to get some similar behavior ...
0
 

Author Comment

by:abaskett
Comment Utility
The wan site has a domain controller and file server. I would like all the AD and internal DNS lookups to go through the VPN and web traffic to go directly out to the internet. Hope that makes sense...
The site2site VPN is in-place coming back to our HQ.
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
Comment Utility
From that description, I'm assuming the only stuff you actually want/need through the tunnel is anything that is on the internal LANs of the locations ... so any Internet-directed traffic (which may be more than just WWW, like FTP, external Mail servers, remote-access VPNs, Internet Radio, ...) should still go directly from each site to the Internet.
This is rather easy, as any split-tunneling VPN connection will do this automatically for you ...
The VPN Wizard on ASDM is rather simple to use, and will usually yield a very well working VPN connection when you're through, provided you enter the right values ...
Just a quick run-down of the entries (assuming a current version, like ASDM 6.2) ... just open ASDM twice if possible and connect to both sites, configuring the config side-by-side ... this will go pretty quickly, and you should not miss anything ...

Start the IPSEC Wizard, then "Site-2-Site" Tunnel Type. Chose the correct outside interface from the drop-down, leave the checkmark in the "bypass" field.
Next page, enter the remote site's IP address, and enter a nice cryptic Pre-Shared key (create in one form, then copy to the other, that should keep away some headache from mis-typed PW). Don't change the tunnel name ...
Next up IKE encryption, go with AES instead of the default 3DES. Best choice is AES-256; DH should be 5 with those long encryptions. Use the same for the next step, IPSEC encryption.
The next step is the relevant for what you want to achieve - here's where you decide whether everything goes into the VPN tunnel, including Internet traffic, or whether you want split tunneling, which only diverts internal traffic into the tunnel, but keeps the Internet to the local uplink instead. For each side, chose the correct internal networks, then also the remote networks. Make sure they match up, otherwise the ASA will run into problems. Make sure the interface for internal access on the bottom of the form is correct.
With that, you're done - let ASDM create the commands and roll them out to the ASA and you should be set - try to ping an internal IP of the remote site from the inside of the other, this should work with only one or two packets lost at most. On the start page of ASDM, you should see one active IPSEC connection, and in "Details" and Site-2-Site you should also see the connection you just set up, with the byte counter increasing ...
0
 

Author Closing Comment

by:abaskett
Comment Utility
Thank you!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now