antwerp2007
asked on
split tunnel settings cisco asa site to site vpn
Hi,are there split tunnel settings for a site-to-site vpn tunnel or is this enabled by default?
If not please provide the cli rules to enable it.Thank you
If not please provide the cli rules to enable it.Thank you
Arnold has it correct. A lan to lan tunnel doesn't have a "split tunnel" per se, but the crypto acl which defines the interesting traffic essentially the same concept which the exception that it also specifies the sources as well as destinations (whereas remote access always assumes that the client is the source and everything else defined is a destination).
Arnold - would you be able to expand on your last statement about VPN with routing as I've never seen an ASA do dynamic routing across a VPN. I've seen GRE tunnels built over an l2l tunnel to pass dynamic routing, but not from the ASA itself.
Arnold - would you be able to expand on your last statement about VPN with routing as I've never seen an ASA do dynamic routing across a VPN. I've seen GRE tunnels built over an l2l tunnel to pass dynamic routing, but not from the ASA itself.
Rauenpc, an example directly from cisco
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml
ASKER
Hi thank you for the comments. I use only static routes in my config no routing protocols.
I attached my current config.However i changed the route inside rules(route inside 10.73.11.0 255.255.255.0 10.73.11.10 1,route inside 10.73.12.0 255.255.255.0 10.73.12.10 1) with the rules below :
route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled
10.73.10.0 is vlan1 native
10.73.11.0 is vlan2
10.73.12.0 is vlan3
is split tunnel still enabled with the rules?
Can you explain the use of the route inside tunneled rules?
configASA1-XPERTS.txt
I attached my current config.However i changed the route inside rules(route inside 10.73.11.0 255.255.255.0 10.73.11.10 1,route inside 10.73.12.0 255.255.255.0 10.73.12.10 1) with the rules below :
route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled
10.73.10.0 is vlan1 native
10.73.11.0 is vlan2
10.73.12.0 is vlan3
is split tunnel still enabled with the rules?
Can you explain the use of the route inside tunneled rules?
configASA1-XPERTS.txt
when you set up the VPN crypto/dynmap you have to include the IP ranges in the negotiation, you would not use any static routes.
Not sure what you are trying to do, but the static routes you have seem to be default routes that are being loadbalanced via tunnel
run show ip route
Presumably you removed the ipsec tunnelling the peers
VLAN usually means local
Do you have three locations that you would like to be able to communicate amongst each other and each location have the capacity to access any other location.
I.e. you have a HUB and SPOKE setup and want the spokes to be able to communicate?
A <=> HQ
B<=> HQ
C <=> HQ
A<=HQ=>B i.e. a system on A 10.73.10.2 can ping 10.73.11.2
Not sure what you are trying to do, but the static routes you have seem to be default routes that are being loadbalanced via tunnel
run show ip route
Presumably you removed the ipsec tunnelling the peers
VLAN usually means local
Do you have three locations that you would like to be able to communicate amongst each other and each location have the capacity to access any other location.
I.e. you have a HUB and SPOKE setup and want the spokes to be able to communicate?
A <=> HQ
B<=> HQ
C <=> HQ
A<=HQ=>B i.e. a system on A 10.73.10.2 can ping 10.73.11.2
ASKER
Hello Arnold,
object-group network LOCAL-LAN are the subnets at my office:
10.73.10.0 = VLAN1
10.73.11.0= VLAN2
10.73.12.0 = VLAN3
intervlan routing is enabled.
object-group network REMOTE-LAN are the subnets at the remote site (Headquarter).
My subnets needs to access the remote subnets.
It used to work (ping from my subnets to the remote subnets) but suddenly after a couple of hours i noticed that vlan2 (10.73.11.0/24) lost internet access? I will also investigate if a vlan2 member can still ping the remote subnets. The clients in vlan1 had still internet access at that time.Could it be that there is no split tunnel for internet traffic for vlan2 and3 with my config?
My rules concerning the VPN are below,
object-group network LOCAL-LAN
network-object 10.73.10.0 255.255.255.0
network-object 10.73.11.0 255.255.255.0
network-object 10.73.12.0 255.255.255.0
object-group network REMOTE-LAN
network-object 172.28.0.0 255.255.0.0
network-object 10.30.250.0 255.255.255.0
network-object 10.30.252.0 255.255.255.0
network-object 10.28.0.0 255.255.0.0
network-object 10.132.0.0 255.255.0.0
network-object 10.30.14.0 255.255.255.0
network-object 10.30.52.0 255.255.254.0
access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
nat (inside) 0 access-list NONAT
crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer "WAN IP REMOTE OFFICE"
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 1440
tunnel-group "WAN IP REMOTE OFFICE" type ipsec-l2l
tunnel-group "WAN IP REMOTE OFFICE" ipsec-attributes
pre-shared-key temil_987_hk
route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled
I believe that i need to remove the rules below because the rule access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN is enough to make my traffic flow to the remote site?
route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled
object-group network LOCAL-LAN are the subnets at my office:
10.73.10.0 = VLAN1
10.73.11.0= VLAN2
10.73.12.0 = VLAN3
intervlan routing is enabled.
object-group network REMOTE-LAN are the subnets at the remote site (Headquarter).
My subnets needs to access the remote subnets.
It used to work (ping from my subnets to the remote subnets) but suddenly after a couple of hours i noticed that vlan2 (10.73.11.0/24) lost internet access? I will also investigate if a vlan2 member can still ping the remote subnets. The clients in vlan1 had still internet access at that time.Could it be that there is no split tunnel for internet traffic for vlan2 and3 with my config?
My rules concerning the VPN are below,
object-group network LOCAL-LAN
network-object 10.73.10.0 255.255.255.0
network-object 10.73.11.0 255.255.255.0
network-object 10.73.12.0 255.255.255.0
object-group network REMOTE-LAN
network-object 172.28.0.0 255.255.0.0
network-object 10.30.250.0 255.255.255.0
network-object 10.30.252.0 255.255.255.0
network-object 10.28.0.0 255.255.0.0
network-object 10.132.0.0 255.255.0.0
network-object 10.30.14.0 255.255.255.0
network-object 10.30.52.0 255.255.254.0
access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
nat (inside) 0 access-list NONAT
crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer "WAN IP REMOTE OFFICE"
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 1440
tunnel-group "WAN IP REMOTE OFFICE" type ipsec-l2l
tunnel-group "WAN IP REMOTE OFFICE" ipsec-attributes
pre-shared-key temil_987_hk
route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled
I believe that i need to remove the rules below because the rule access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN is enough to make my traffic flow to the remote site?
route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Arnold,thank you for the help
the problem is related to the Cisco access point ,the firewall configuration is working fine
Regards
the problem is related to the Cisco access point ,the firewall configuration is working fine
Regards
Location A
Local: IPA segment
Remote: IPB segment
Location B
Local: IPB segment
Remote: IPA segment
If you setup a VPN with routing (rip,ospf) then the split-tunnel info can be dynamically updated.