Can a Cisco ASA Site-to-site VPN configuration use split-tunneling ?

Hi all -

I have a pair of Cisco ASA 5505s at two different physical locations and I'd like to setup a site-to-site VPN between them.  I am not knowledgeable with CLI but I know my way around ASDM fairly well. When I use the IPSec VPN Wizard in ASDM, I can easily get the two sites talking to each other through the VPN tunnel. But, when I do so the users at each end lose their Internet access.

I am almost certain this is some kind of NAT issue. My best guess based on my own knowledge and some searching is that traffic coming from the inside interface intended for the Internet is not being NAT'ed to the outside interface.  if this were a remote user VPN with client software, I could setup split-tunneling. But, I'm not sure if that option exists for site-to-site VPNs.

Is there a way I can get around this problem and still use ASDM to configure my tunnel?

Any help would be greatly appreciated.  Thanks.
Chris CollinsOwnerAsked:
Who is Participating?
max_the_kingConnect With a Mentor Commented:
please try this:

no nat (inside) 1
nat (inside) 1

it should work.

After testing, you may want to do the same thing on the opposite ASA, with its corresponding internal vlan.

hope this helps
Patrick BogersDatacenter platform engineer LindowsCommented:

Not sure if NATTING is the problem. Sounds more like a forgotten ACL, connection profile or policy.
Have a look at this link which is troubleshooting your issue picture by picture.

Can you post your sanitized configs. You may be missing something, check your crypto maps.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Chris CollinsOwnerAuthor Commented:
OK, I will take a look at the link provided by Patricksr1972 and, when I begin working on this again later today, I'll see if I can get the configuration as perIruiz52.  I'm not real comfortable in the CLi . . . would sh config be the correct command to get what you suggested?

Patrick BogersDatacenter platform engineer LindowsCommented:
Sh run would do the trick
When you configure site-to-site VPN, you specify networks between which the traffic should be encrypted. This is called interesting traffic. It's very similar to functionality of split tunnel config.

I believe the problem is not with NAT but with your ACLs for interesting traffic. Don't use keyword "any" in them, be specific. For example, if your local network is and remote is, your ACL should look like this:
access-list 100 extended permit ip
Chris CollinsOwnerAuthor Commented:
Sorry it took so long. Here is the running configuration from one of the ASA 5505s:

: Saved
ASA Version 8.2(5)
hostname lazboyasa
enable password 8hTuyGMy7T3EgFE/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list outside_1_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip any
access-list capout extended permit udp host host eq isakmp
access-list capout extended permit udp host eq isakmp host
access-list outside_access_in extended permit tcp any interface outside eq telnet
access-list outside_2_cryptomap extended permit ip
access-list outside_3_cryptomap extended permit ip
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface telnet telnet netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 60
ssh inside
ssh outside
ssh timeout 15
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy lazboyLR internal
group-policy lazboyLR attributes
 vpn-idle-timeout none
 vpn-session-timeout none
username admin password SVK6WmtHMumVI2iT encrypted privilege 15
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
Chris CollinsOwnerAuthor Commented:
Sorry for the delay in replying. This issue arose while I was traveling on business and I have just returned.  Thank you for all the excellent suggestions.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.