split tunnel settings cisco asa site to site vpn

Posted on 2013-12-09
Last Modified: 2014-01-20
Hi,are there split tunnel settings for a site-to-site vpn tunnel or is this enabled by default?
If not please provide the cli rules to enable it.Thank you
Question by:antwerp2007
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 79

Expert Comment

ID: 39707810
It is enabled by default through the definition of the interesting traffic of the VPN
Location A
Local: IPA segment
Remote: IPB segment

Location B
Local: IPB segment
Remote: IPA segment

If you setup a VPN with routing (rip,ospf) then the split-tunnel info can be dynamically updated.
LVL 20

Expert Comment

ID: 39708680
Arnold has it correct. A lan to lan tunnel doesn't have a "split tunnel" per se, but the crypto acl which defines the interesting traffic essentially the same concept which the exception that it also specifies the sources as well as destinations (whereas remote access always assumes that the client is the source and everything else defined is a destination).

Arnold - would you be able to expand on your last statement about VPN with routing as I've never seen an ASA do dynamic routing across a VPN. I've seen GRE tunnels built over an l2l tunnel to pass dynamic routing, but not from the ASA itself.
LVL 79

Expert Comment

ID: 39708932
 Watch the Recording: Learning MySQL 5.7

MySQL 5.7 has a lot of new features. If you've dabbled with an older version of MySQL, it is definitely worth learning.


Author Comment

ID: 39751081
Hi thank you for the comments. I use only static routes in my config no routing protocols.
I attached my current config.However i changed  the route inside rules(route inside 1,route inside 1) with the rules below :
route inside tunneled
route inside tunneled
route inside tunneled is vlan1 native is vlan2 is vlan3
is split tunnel still enabled with the rules?
Can you explain the use of the route inside tunneled rules?
LVL 79

Expert Comment

ID: 39751294
when you set up the VPN crypto/dynmap you have to include the IP ranges in the negotiation, you would not use any static routes.

Not sure what you are trying to do, but the static routes you have seem to be default routes that are being loadbalanced via tunnel

run show ip route

Presumably you removed the ipsec tunnelling the peers

VLAN usually means local

Do you have three locations that you would like to be able to communicate amongst each other and each location have the capacity to access any other location.

I.e. you have a HUB and SPOKE setup and want the spokes to be able to communicate?

A <=> HQ
B<=> HQ
C <=> HQ

A<=HQ=>B i.e. a system on A can ping

Author Comment

ID: 39758908
Hello Arnold,
object-group network LOCAL-LAN are the subnets at my office: = VLAN1 VLAN2 = VLAN3
intervlan routing is enabled.

object-group network REMOTE-LAN are the subnets at the remote site (Headquarter).
My subnets needs to access the remote subnets.
It used to work (ping from my subnets to the remote subnets) but suddenly after a couple of hours i noticed that vlan2 ( lost internet access? I will also investigate if a vlan2 member can still ping the remote subnets. The clients in vlan1 had still internet access at that time.Could it be that there is no split tunnel for internet traffic for vlan2 and3 with my config?
My rules concerning the VPN are below,

object-group network LOCAL-LAN

object-group network REMOTE-LAN

access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer "WAN IP REMOTE OFFICE"
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside                  
crypto isakmp policy 10                        
 authentication pre-share                      
 encryption 3des                      
 hash md5                                      
 group 2                              
 lifetime 1440                                

 tunnel-group "WAN IP REMOTE OFFICE" type ipsec-l2l    
 tunnel-group "WAN IP REMOTE OFFICE" ipsec-attributes  
  pre-shared-key temil_987_hk

route inside tunneled
route inside tunneled
route inside tunneled

I believe that i need to remove the rules below because the rule access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN is enough to make my traffic flow to the remote site?
route inside tunneled
route inside tunneled
route inside tunneled
LVL 79

Accepted Solution

arnold earned 500 total points
ID: 39759371
You need to have the VLAN1,2,3 in an access-list that are part of the VPN configuration

vlan1 to vlan2 and
vlan2 to vlan3 and

and those access-lists will be part of the crypto, match-address <access-list>

the static routes are unnecessary.
you can use sysopt and same-security-traffic to grant whole sale inter/intra VPN access or you have to use access lists to limit the exposure of each side from affects of another.

show crypto

ipsec sa
iskamp sa

you are looking at the networks reflected as interesting traffic.

Here is an example of a two location VPN with comments that may help you.

Author Comment

ID: 39793872
Arnold,thank you for the help
the problem is related to the Cisco access point ,the firewall configuration is working fine

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month9 days, 1 hour left to enroll

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question