Can a Cisco ASA Site-to-site VPN configuration use split-tunneling ?

Posted on 2016-09-25
Medium Priority
Last Modified: 2016-10-11
Hi all -

I have a pair of Cisco ASA 5505s at two different physical locations and I'd like to setup a site-to-site VPN between them.  I am not knowledgeable with CLI but I know my way around ASDM fairly well. When I use the IPSec VPN Wizard in ASDM, I can easily get the two sites talking to each other through the VPN tunnel. But, when I do so the users at each end lose their Internet access.

I am almost certain this is some kind of NAT issue. My best guess based on my own knowledge and some searching is that traffic coming from the inside interface intended for the Internet is not being NAT'ed to the outside interface.  if this were a remote user VPN with client software, I could setup split-tunneling. But, I'm not sure if that option exists for site-to-site VPNs.

Is there a way I can get around this problem and still use ASDM to configure my tunnel?

Any help would be greatly appreciated.  Thanks.
Question by:Chris Collins
LVL 23

Expert Comment

by:Patrick Bogers
ID: 41815381

Not sure if NATTING is the problem. Sounds more like a forgotten ACL, connection profile or policy.
Have a look at this link which is troubleshooting your issue picture by picture.

LVL 17

Expert Comment

ID: 41815399
Can you post your sanitized configs. You may be missing something, check your crypto maps.

Author Comment

by:Chris Collins
ID: 41815972
OK, I will take a look at the link provided by Patricksr1972 and, when I begin working on this again later today, I'll see if I can get the configuration as perIruiz52.  I'm not real comfortable in the CLi . . . would sh config be the correct command to get what you suggested?

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

LVL 23

Expert Comment

by:Patrick Bogers
ID: 41815988
Sh run would do the trick
LVL 14

Expert Comment

ID: 41816066
When you configure site-to-site VPN, you specify networks between which the traffic should be encrypted. This is called interesting traffic. It's very similar to functionality of split tunnel config.

I believe the problem is not with NAT but with your ACLs for interesting traffic. Don't use keyword "any" in them, be specific. For example, if your local network is and remote is, your ACL should look like this:
access-list 100 extended permit ip

Author Comment

by:Chris Collins
ID: 41817054
Sorry it took so long. Here is the running configuration from one of the ASA 5505s:

: Saved
ASA Version 8.2(5)
hostname lazboyasa
enable password 8hTuyGMy7T3EgFE/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_1_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any
access-list capout extended permit udp host host eq isakmp
access-list capout extended permit udp host eq isakmp host
access-list outside_access_in extended permit tcp any interface outside eq telnet
access-list outside_2_cryptomap extended permit ip
access-list outside_3_cryptomap extended permit ip
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface telnet telnet netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 60
ssh inside
ssh outside
ssh timeout 15
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy lazboyLR internal
group-policy lazboyLR attributes
 vpn-idle-timeout none
 vpn-session-timeout none
username admin password SVK6WmtHMumVI2iT encrypted privilege 15
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
LVL 17

Accepted Solution

max_the_king earned 2000 total points
ID: 41817653
please try this:

no nat (inside) 1
nat (inside) 1

it should work.

After testing, you may want to do the same thing on the opposite ASA, with its corresponding internal vlan.

hope this helps

Author Closing Comment

by:Chris Collins
ID: 41838801
Sorry for the delay in replying. This issue arose while I was traveling on business and I have just returned.  Thank you for all the excellent suggestions.

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month15 days, 3 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question