Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Split Traffic on Cisco ASA using ASDM

Posted on 2012-03-15
4
787 Views
Last Modified: 2012-06-27
I need to split the traffic at a remote wan site. I'd like all the port 80 and 443 traffic to go out to the Internet and all other traffic to flow between the site and HQ using our VPN tunnel. I am a complete newbie when it comes to Cisco...any help greatly appreciated.
0
Comment
Question by:abaskett
  • 2
  • 2
4 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 37730927
Please define "all other traffic" - most often, VPNs are using Split Tunneling, only using the VPN for the actually LAN networks, but routing Internet directly ...
At what point are you currently? Do you already have the Site2Site VPN set up to router 0/0 through the VPN to the HQ?
Please note that ASA does not support "real" PBR (policy-based routing), so you need to take some detours to get some similar behavior ...
0
 

Author Comment

by:abaskett
ID: 37731237
The wan site has a domain controller and file server. I would like all the AD and internal DNS lookups to go through the VPN and web traffic to go directly out to the internet. Hope that makes sense...
The site2site VPN is in-place coming back to our HQ.
0
 
LVL 17

Accepted Solution

by:
Garry-G earned 500 total points
ID: 37732000
From that description, I'm assuming the only stuff you actually want/need through the tunnel is anything that is on the internal LANs of the locations ... so any Internet-directed traffic (which may be more than just WWW, like FTP, external Mail servers, remote-access VPNs, Internet Radio, ...) should still go directly from each site to the Internet.
This is rather easy, as any split-tunneling VPN connection will do this automatically for you ...
The VPN Wizard on ASDM is rather simple to use, and will usually yield a very well working VPN connection when you're through, provided you enter the right values ...
Just a quick run-down of the entries (assuming a current version, like ASDM 6.2) ... just open ASDM twice if possible and connect to both sites, configuring the config side-by-side ... this will go pretty quickly, and you should not miss anything ...

Start the IPSEC Wizard, then "Site-2-Site" Tunnel Type. Chose the correct outside interface from the drop-down, leave the checkmark in the "bypass" field.
Next page, enter the remote site's IP address, and enter a nice cryptic Pre-Shared key (create in one form, then copy to the other, that should keep away some headache from mis-typed PW). Don't change the tunnel name ...
Next up IKE encryption, go with AES instead of the default 3DES. Best choice is AES-256; DH should be 5 with those long encryptions. Use the same for the next step, IPSEC encryption.
The next step is the relevant for what you want to achieve - here's where you decide whether everything goes into the VPN tunnel, including Internet traffic, or whether you want split tunneling, which only diverts internal traffic into the tunnel, but keeps the Internet to the local uplink instead. For each side, chose the correct internal networks, then also the remote networks. Make sure they match up, otherwise the ASA will run into problems. Make sure the interface for internal access on the bottom of the form is correct.
With that, you're done - let ASDM create the commands and roll them out to the ASA and you should be set - try to ping an internal IP of the remote site from the inside of the other, this should work with only one or two packets lost at most. On the start page of ASDM, you should see one active IPSEC connection, and in "Details" and Site-2-Site you should also see the connection you just set up, with the byte counter increasing ...
0
 

Author Closing Comment

by:abaskett
ID: 37738200
Thank you!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question