• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2041
  • Last Modified:

split tunnel settings cisco asa site to site vpn

Hi,are there split tunnel settings for a site-to-site vpn tunnel or is this enabled by default?
If not please provide the cli rules to enable it.Thank you
  • 4
  • 3
1 Solution
It is enabled by default through the definition of the interesting traffic of the VPN
Location A
Local: IPA segment
Remote: IPB segment

Location B
Local: IPB segment
Remote: IPA segment

If you setup a VPN with routing (rip,ospf) then the split-tunnel info can be dynamically updated.
Arnold has it correct. A lan to lan tunnel doesn't have a "split tunnel" per se, but the crypto acl which defines the interesting traffic essentially the same concept which the exception that it also specifies the sources as well as destinations (whereas remote access always assumes that the client is the source and everything else defined is a destination).

Arnold - would you be able to expand on your last statement about VPN with routing as I've never seen an ASA do dynamic routing across a VPN. I've seen GRE tunnels built over an l2l tunnel to pass dynamic routing, but not from the ASA itself.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

antwerp2007Author Commented:
Hi thank you for the comments. I use only static routes in my config no routing protocols.
I attached my current config.However i changed  the route inside rules(route inside 1,route inside 1) with the rules below :
route inside tunneled
route inside tunneled
route inside tunneled is vlan1 native is vlan2 is vlan3
is split tunnel still enabled with the rules?
Can you explain the use of the route inside tunneled rules?
when you set up the VPN crypto/dynmap you have to include the IP ranges in the negotiation, you would not use any static routes.

Not sure what you are trying to do, but the static routes you have seem to be default routes that are being loadbalanced via tunnel

run show ip route

Presumably you removed the ipsec tunnelling the peers

VLAN usually means local

Do you have three locations that you would like to be able to communicate amongst each other and each location have the capacity to access any other location.

I.e. you have a HUB and SPOKE setup and want the spokes to be able to communicate?

A <=> HQ
B<=> HQ
C <=> HQ

A<=HQ=>B i.e. a system on A can ping
antwerp2007Author Commented:
Hello Arnold,
object-group network LOCAL-LAN are the subnets at my office: = VLAN1 VLAN2 = VLAN3
intervlan routing is enabled.

object-group network REMOTE-LAN are the subnets at the remote site (Headquarter).
My subnets needs to access the remote subnets.
It used to work (ping from my subnets to the remote subnets) but suddenly after a couple of hours i noticed that vlan2 ( lost internet access? I will also investigate if a vlan2 member can still ping the remote subnets. The clients in vlan1 had still internet access at that time.Could it be that there is no split tunnel for internet traffic for vlan2 and3 with my config?
My rules concerning the VPN are below,

object-group network LOCAL-LAN

object-group network REMOTE-LAN

access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer "WAN IP REMOTE OFFICE"
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside                  
crypto isakmp policy 10                        
 authentication pre-share                      
 encryption 3des                      
 hash md5                                      
 group 2                              
 lifetime 1440                                

 tunnel-group "WAN IP REMOTE OFFICE" type ipsec-l2l    
 tunnel-group "WAN IP REMOTE OFFICE" ipsec-attributes  
  pre-shared-key temil_987_hk

route inside tunneled
route inside tunneled
route inside tunneled

I believe that i need to remove the rules below because the rule access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN is enough to make my traffic flow to the remote site?
route inside tunneled
route inside tunneled
route inside tunneled
You need to have the VLAN1,2,3 in an access-list that are part of the VPN configuration

vlan1 to vlan2 and
vlan2 to vlan3 and

and those access-lists will be part of the crypto, match-address <access-list>

the static routes are unnecessary.
you can use sysopt and same-security-traffic to grant whole sale inter/intra VPN access or you have to use access lists to limit the exposure of each side from affects of another.

show crypto

ipsec sa
iskamp sa

you are looking at the networks reflected as interesting traffic.

Here is an example of a two location VPN with comments that may help you.
antwerp2007Author Commented:
Arnold,thank you for the help
the problem is related to the Cisco access point ,the firewall configuration is working fine

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now