split tunnel settings cisco asa site to site vpn

Posted on 2013-12-09
Last Modified: 2014-01-20
Hi,are there split tunnel settings for a site-to-site vpn tunnel or is this enabled by default?
If not please provide the cli rules to enable it.Thank you
Question by:antwerp2007
  • 4
  • 3
LVL 77

Expert Comment

ID: 39707810
It is enabled by default through the definition of the interesting traffic of the VPN
Location A
Local: IPA segment
Remote: IPB segment

Location B
Local: IPB segment
Remote: IPA segment

If you setup a VPN with routing (rip,ospf) then the split-tunnel info can be dynamically updated.
LVL 20

Expert Comment

ID: 39708680
Arnold has it correct. A lan to lan tunnel doesn't have a "split tunnel" per se, but the crypto acl which defines the interesting traffic essentially the same concept which the exception that it also specifies the sources as well as destinations (whereas remote access always assumes that the client is the source and everything else defined is a destination).

Arnold - would you be able to expand on your last statement about VPN with routing as I've never seen an ASA do dynamic routing across a VPN. I've seen GRE tunnels built over an l2l tunnel to pass dynamic routing, but not from the ASA itself.
LVL 77

Expert Comment

ID: 39708932
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 39751081
Hi thank you for the comments. I use only static routes in my config no routing protocols.
I attached my current config.However i changed  the route inside rules(route inside 1,route inside 1) with the rules below :
route inside tunneled
route inside tunneled
route inside tunneled is vlan1 native is vlan2 is vlan3
is split tunnel still enabled with the rules?
Can you explain the use of the route inside tunneled rules?
LVL 77

Expert Comment

ID: 39751294
when you set up the VPN crypto/dynmap you have to include the IP ranges in the negotiation, you would not use any static routes.

Not sure what you are trying to do, but the static routes you have seem to be default routes that are being loadbalanced via tunnel

run show ip route

Presumably you removed the ipsec tunnelling the peers

VLAN usually means local

Do you have three locations that you would like to be able to communicate amongst each other and each location have the capacity to access any other location.

I.e. you have a HUB and SPOKE setup and want the spokes to be able to communicate?

A <=> HQ
B<=> HQ
C <=> HQ

A<=HQ=>B i.e. a system on A can ping

Author Comment

ID: 39758908
Hello Arnold,
object-group network LOCAL-LAN are the subnets at my office: = VLAN1 VLAN2 = VLAN3
intervlan routing is enabled.

object-group network REMOTE-LAN are the subnets at the remote site (Headquarter).
My subnets needs to access the remote subnets.
It used to work (ping from my subnets to the remote subnets) but suddenly after a couple of hours i noticed that vlan2 ( lost internet access? I will also investigate if a vlan2 member can still ping the remote subnets. The clients in vlan1 had still internet access at that time.Could it be that there is no split tunnel for internet traffic for vlan2 and3 with my config?
My rules concerning the VPN are below,

object-group network LOCAL-LAN

object-group network REMOTE-LAN

access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer "WAN IP REMOTE OFFICE"
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside                  
crypto isakmp policy 10                        
 authentication pre-share                      
 encryption 3des                      
 hash md5                                      
 group 2                              
 lifetime 1440                                

 tunnel-group "WAN IP REMOTE OFFICE" type ipsec-l2l    
 tunnel-group "WAN IP REMOTE OFFICE" ipsec-attributes  
  pre-shared-key temil_987_hk

route inside tunneled
route inside tunneled
route inside tunneled

I believe that i need to remove the rules below because the rule access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN is enough to make my traffic flow to the remote site?
route inside tunneled
route inside tunneled
route inside tunneled
LVL 77

Accepted Solution

arnold earned 500 total points
ID: 39759371
You need to have the VLAN1,2,3 in an access-list that are part of the VPN configuration

vlan1 to vlan2 and
vlan2 to vlan3 and

and those access-lists will be part of the crypto, match-address <access-list>

the static routes are unnecessary.
you can use sysopt and same-security-traffic to grant whole sale inter/intra VPN access or you have to use access lists to limit the exposure of each side from affects of another.

show crypto

ipsec sa
iskamp sa

you are looking at the networks reflected as interesting traffic.

Here is an example of a two location VPN with comments that may help you.

Author Comment

ID: 39793872
Arnold,thank you for the help
the problem is related to the Cisco access point ,the firewall configuration is working fine

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fiber optic multimode cable issue 6 57
QoS for Voip 7 56
Connect two buildings 6 51
Import AD groups from one domain to another 9 33
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question