split tunnel settings cisco asa site to site vpn

Posted on 2013-12-09
Last Modified: 2014-01-20
Hi,are there split tunnel settings for a site-to-site vpn tunnel or is this enabled by default?
If not please provide the cli rules to enable it.Thank you
Question by:antwerp2007
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 78

Expert Comment

ID: 39707810
It is enabled by default through the definition of the interesting traffic of the VPN
Location A
Local: IPA segment
Remote: IPB segment

Location B
Local: IPB segment
Remote: IPA segment

If you setup a VPN with routing (rip,ospf) then the split-tunnel info can be dynamically updated.
LVL 20

Expert Comment

ID: 39708680
Arnold has it correct. A lan to lan tunnel doesn't have a "split tunnel" per se, but the crypto acl which defines the interesting traffic essentially the same concept which the exception that it also specifies the sources as well as destinations (whereas remote access always assumes that the client is the source and everything else defined is a destination).

Arnold - would you be able to expand on your last statement about VPN with routing as I've never seen an ASA do dynamic routing across a VPN. I've seen GRE tunnels built over an l2l tunnel to pass dynamic routing, but not from the ASA itself.
LVL 78

Expert Comment

ID: 39708932
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 39751081
Hi thank you for the comments. I use only static routes in my config no routing protocols.
I attached my current config.However i changed  the route inside rules(route inside 1,route inside 1) with the rules below :
route inside tunneled
route inside tunneled
route inside tunneled is vlan1 native is vlan2 is vlan3
is split tunnel still enabled with the rules?
Can you explain the use of the route inside tunneled rules?
LVL 78

Expert Comment

ID: 39751294
when you set up the VPN crypto/dynmap you have to include the IP ranges in the negotiation, you would not use any static routes.

Not sure what you are trying to do, but the static routes you have seem to be default routes that are being loadbalanced via tunnel

run show ip route

Presumably you removed the ipsec tunnelling the peers

VLAN usually means local

Do you have three locations that you would like to be able to communicate amongst each other and each location have the capacity to access any other location.

I.e. you have a HUB and SPOKE setup and want the spokes to be able to communicate?

A <=> HQ
B<=> HQ
C <=> HQ

A<=HQ=>B i.e. a system on A can ping

Author Comment

ID: 39758908
Hello Arnold,
object-group network LOCAL-LAN are the subnets at my office: = VLAN1 VLAN2 = VLAN3
intervlan routing is enabled.

object-group network REMOTE-LAN are the subnets at the remote site (Headquarter).
My subnets needs to access the remote subnets.
It used to work (ping from my subnets to the remote subnets) but suddenly after a couple of hours i noticed that vlan2 ( lost internet access? I will also investigate if a vlan2 member can still ping the remote subnets. The clients in vlan1 had still internet access at that time.Could it be that there is no split tunnel for internet traffic for vlan2 and3 with my config?
My rules concerning the VPN are below,

object-group network LOCAL-LAN

object-group network REMOTE-LAN

access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer "WAN IP REMOTE OFFICE"
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside                  
crypto isakmp policy 10                        
 authentication pre-share                      
 encryption 3des                      
 hash md5                                      
 group 2                              
 lifetime 1440                                

 tunnel-group "WAN IP REMOTE OFFICE" type ipsec-l2l    
 tunnel-group "WAN IP REMOTE OFFICE" ipsec-attributes  
  pre-shared-key temil_987_hk

route inside tunneled
route inside tunneled
route inside tunneled

I believe that i need to remove the rules below because the rule access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN is enough to make my traffic flow to the remote site?
route inside tunneled
route inside tunneled
route inside tunneled
LVL 78

Accepted Solution

arnold earned 500 total points
ID: 39759371
You need to have the VLAN1,2,3 in an access-list that are part of the VPN configuration

vlan1 to vlan2 and
vlan2 to vlan3 and

and those access-lists will be part of the crypto, match-address <access-list>

the static routes are unnecessary.
you can use sysopt and same-security-traffic to grant whole sale inter/intra VPN access or you have to use access lists to limit the exposure of each side from affects of another.

show crypto

ipsec sa
iskamp sa

you are looking at the networks reflected as interesting traffic.

Here is an example of a two location VPN with comments that may help you.

Author Comment

ID: 39793872
Arnold,thank you for the help
the problem is related to the Cisco access point ,the firewall configuration is working fine

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question