Split Traffic on Cisco ASA using ASDM

I need to split the traffic at a remote wan site. I'd like all the port 80 and 443 traffic to go out to the Internet and all other traffic to flow between the site and HQ using our VPN tunnel. I am a complete newbie when it comes to Cisco...any help greatly appreciated.
abaskettAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Garry GlendownConnect With a Mentor Consulting and Network/Security SpecialistCommented:
From that description, I'm assuming the only stuff you actually want/need through the tunnel is anything that is on the internal LANs of the locations ... so any Internet-directed traffic (which may be more than just WWW, like FTP, external Mail servers, remote-access VPNs, Internet Radio, ...) should still go directly from each site to the Internet.
This is rather easy, as any split-tunneling VPN connection will do this automatically for you ...
The VPN Wizard on ASDM is rather simple to use, and will usually yield a very well working VPN connection when you're through, provided you enter the right values ...
Just a quick run-down of the entries (assuming a current version, like ASDM 6.2) ... just open ASDM twice if possible and connect to both sites, configuring the config side-by-side ... this will go pretty quickly, and you should not miss anything ...

Start the IPSEC Wizard, then "Site-2-Site" Tunnel Type. Chose the correct outside interface from the drop-down, leave the checkmark in the "bypass" field.
Next page, enter the remote site's IP address, and enter a nice cryptic Pre-Shared key (create in one form, then copy to the other, that should keep away some headache from mis-typed PW). Don't change the tunnel name ...
Next up IKE encryption, go with AES instead of the default 3DES. Best choice is AES-256; DH should be 5 with those long encryptions. Use the same for the next step, IPSEC encryption.
The next step is the relevant for what you want to achieve - here's where you decide whether everything goes into the VPN tunnel, including Internet traffic, or whether you want split tunneling, which only diverts internal traffic into the tunnel, but keeps the Internet to the local uplink instead. For each side, chose the correct internal networks, then also the remote networks. Make sure they match up, otherwise the ASA will run into problems. Make sure the interface for internal access on the bottom of the form is correct.
With that, you're done - let ASDM create the commands and roll them out to the ASA and you should be set - try to ping an internal IP of the remote site from the inside of the other, this should work with only one or two packets lost at most. On the start page of ASDM, you should see one active IPSEC connection, and in "Details" and Site-2-Site you should also see the connection you just set up, with the byte counter increasing ...
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Please define "all other traffic" - most often, VPNs are using Split Tunneling, only using the VPN for the actually LAN networks, but routing Internet directly ...
At what point are you currently? Do you already have the Site2Site VPN set up to router 0/0 through the VPN to the HQ?
Please note that ASA does not support "real" PBR (policy-based routing), so you need to take some detours to get some similar behavior ...
0
 
abaskettAuthor Commented:
The wan site has a domain controller and file server. I would like all the AD and internal DNS lookups to go through the VPN and web traffic to go directly out to the internet. Hope that makes sense...
The site2site VPN is in-place coming back to our HQ.
0
 
abaskettAuthor Commented:
Thank you!
0
All Courses

From novice to tech pro — start learning today.