Go Premium for a chance to win a PS4. Enter to Win


Split Traffic on Cisco ASA using ASDM

Posted on 2012-03-15
Medium Priority
Last Modified: 2012-06-27
I need to split the traffic at a remote wan site. I'd like all the port 80 and 443 traffic to go out to the Internet and all other traffic to flow between the site and HQ using our VPN tunnel. I am a complete newbie when it comes to Cisco...any help greatly appreciated.
Question by:abaskett
  • 2
  • 2
LVL 18

Expert Comment

by:Garry Glendown
ID: 37730927
Please define "all other traffic" - most often, VPNs are using Split Tunneling, only using the VPN for the actually LAN networks, but routing Internet directly ...
At what point are you currently? Do you already have the Site2Site VPN set up to router 0/0 through the VPN to the HQ?
Please note that ASA does not support "real" PBR (policy-based routing), so you need to take some detours to get some similar behavior ...

Author Comment

ID: 37731237
The wan site has a domain controller and file server. I would like all the AD and internal DNS lookups to go through the VPN and web traffic to go directly out to the internet. Hope that makes sense...
The site2site VPN is in-place coming back to our HQ.
LVL 18

Accepted Solution

Garry Glendown earned 2000 total points
ID: 37732000
From that description, I'm assuming the only stuff you actually want/need through the tunnel is anything that is on the internal LANs of the locations ... so any Internet-directed traffic (which may be more than just WWW, like FTP, external Mail servers, remote-access VPNs, Internet Radio, ...) should still go directly from each site to the Internet.
This is rather easy, as any split-tunneling VPN connection will do this automatically for you ...
The VPN Wizard on ASDM is rather simple to use, and will usually yield a very well working VPN connection when you're through, provided you enter the right values ...
Just a quick run-down of the entries (assuming a current version, like ASDM 6.2) ... just open ASDM twice if possible and connect to both sites, configuring the config side-by-side ... this will go pretty quickly, and you should not miss anything ...

Start the IPSEC Wizard, then "Site-2-Site" Tunnel Type. Chose the correct outside interface from the drop-down, leave the checkmark in the "bypass" field.
Next page, enter the remote site's IP address, and enter a nice cryptic Pre-Shared key (create in one form, then copy to the other, that should keep away some headache from mis-typed PW). Don't change the tunnel name ...
Next up IKE encryption, go with AES instead of the default 3DES. Best choice is AES-256; DH should be 5 with those long encryptions. Use the same for the next step, IPSEC encryption.
The next step is the relevant for what you want to achieve - here's where you decide whether everything goes into the VPN tunnel, including Internet traffic, or whether you want split tunneling, which only diverts internal traffic into the tunnel, but keeps the Internet to the local uplink instead. For each side, chose the correct internal networks, then also the remote networks. Make sure they match up, otherwise the ASA will run into problems. Make sure the interface for internal access on the bottom of the form is correct.
With that, you're done - let ASDM create the commands and roll them out to the ASA and you should be set - try to ping an internal IP of the remote site from the inside of the other, this should work with only one or two packets lost at most. On the start page of ASDM, you should see one active IPSEC connection, and in "Details" and Site-2-Site you should also see the connection you just set up, with the byte counter increasing ...

Author Closing Comment

ID: 37738200
Thank you!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question