Solved

split tunnel settings cisco asa site to site vpn

Posted on 2013-12-09
8
1,816 Views
Last Modified: 2014-01-20
Hi,are there split tunnel settings for a site-to-site vpn tunnel or is this enabled by default?
If not please provide the cli rules to enable it.Thank you
0
Comment
Question by:antwerp2007
  • 4
  • 3
8 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 39707810
It is enabled by default through the definition of the interesting traffic of the VPN
Location A
Local: IPA segment
Remote: IPB segment

Location B
Local: IPB segment
Remote: IPA segment

If you setup a VPN with routing (rip,ospf) then the split-tunnel info can be dynamically updated.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39708680
Arnold has it correct. A lan to lan tunnel doesn't have a "split tunnel" per se, but the crypto acl which defines the interesting traffic essentially the same concept which the exception that it also specifies the sources as well as destinations (whereas remote access always assumes that the client is the source and everything else defined is a destination).

Arnold - would you be able to expand on your last statement about VPN with routing as I've never seen an ASA do dynamic routing across a VPN. I've seen GRE tunnels built over an l2l tunnel to pass dynamic routing, but not from the ASA itself.
0
 
LVL 76

Expert Comment

by:arnold
ID: 39708932
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39751081
Hi thank you for the comments. I use only static routes in my config no routing protocols.
I attached my current config.However i changed  the route inside rules(route inside 10.73.11.0 255.255.255.0 10.73.11.10 1,route inside 10.73.12.0 255.255.255.0 10.73.12.10 1) with the rules below :
route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled

10.73.10.0 is vlan1 native
10.73.11.0 is vlan2
10.73.12.0 is vlan3
is split tunnel still enabled with the rules?
Can you explain the use of the route inside tunneled rules?
configASA1-XPERTS.txt
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 76

Expert Comment

by:arnold
ID: 39751294
when you set up the VPN crypto/dynmap you have to include the IP ranges in the negotiation, you would not use any static routes.


Not sure what you are trying to do, but the static routes you have seem to be default routes that are being loadbalanced via tunnel

run show ip route

Presumably you removed the ipsec tunnelling the peers

VLAN usually means local

Do you have three locations that you would like to be able to communicate amongst each other and each location have the capacity to access any other location.

I.e. you have a HUB and SPOKE setup and want the spokes to be able to communicate?

A <=> HQ
B<=> HQ
C <=> HQ

A<=HQ=>B i.e. a system on A 10.73.10.2 can ping 10.73.11.2
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39758908
Hello Arnold,
object-group network LOCAL-LAN are the subnets at my office:
10.73.10.0 = VLAN1
10.73.11.0= VLAN2
10.73.12.0 = VLAN3
intervlan routing is enabled.

object-group network REMOTE-LAN are the subnets at the remote site (Headquarter).
My subnets needs to access the remote subnets.
It used to work (ping from my subnets to the remote subnets) but suddenly after a couple of hours i noticed that vlan2 (10.73.11.0/24) lost internet access? I will also investigate if a vlan2 member can still ping the remote subnets. The clients in vlan1 had still internet access at that time.Could it be that there is no split tunnel for internet traffic for vlan2 and3 with my config?
My rules concerning the VPN are below,


object-group network LOCAL-LAN
 network-object 10.73.10.0 255.255.255.0
 network-object 10.73.11.0 255.255.255.0
 network-object 10.73.12.0 255.255.255.0
 

object-group network REMOTE-LAN
 network-object 172.28.0.0 255.255.0.0
 network-object 10.30.250.0 255.255.255.0
 network-object 10.30.252.0 255.255.255.0
 network-object 10.28.0.0 255.255.0.0
 network-object 10.132.0.0 255.255.0.0
 network-object 10.30.14.0 255.255.255.0
 network-object 10.30.52.0 255.255.254.0

access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer "WAN IP REMOTE OFFICE"
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside                  
crypto isakmp policy 10                        
 authentication pre-share                      
 encryption 3des                      
 hash md5                                      
 group 2                              
 lifetime 1440                                

 tunnel-group "WAN IP REMOTE OFFICE" type ipsec-l2l    
 tunnel-group "WAN IP REMOTE OFFICE" ipsec-attributes  
  pre-shared-key temil_987_hk

route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled

I believe that i need to remove the rules below because the rule access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN is enough to make my traffic flow to the remote site?
route inside 0.0.0.0 0.0.0.0 10.73.10.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.11.0 tunneled
route inside 0.0.0.0 0.0.0.0 10.73.12.0 tunneled
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 39759371
You need to have the VLAN1,2,3 in an access-list that are part of the VPN configuration

vlan1 to vlan2 10.73.10.0 255.255.255.0 and 10.73.12.0 255.255.255.0
vlan2 to vlan3 10.73.11.0 255.255.255.0 and 10.73.10.0 255.255.255.0

and those access-lists will be part of the crypto, match-address <access-list>

the static routes are unnecessary.
you can use sysopt and same-security-traffic to grant whole sale inter/intra VPN access or you have to use access lists to limit the exposure of each side from affects of another.

show crypto

ipsec sa
iskamp sa


you are looking at the networks reflected as interesting traffic.

Here is an example of a two location VPN with comments that may help you.
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39793872
Arnold,thank you for the help
the problem is related to the Cisco access point ,the firewall configuration is working fine
Regards
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now