Question on VPN site-to-site split tunneling please

Unanswered Question
Jul 7th, 2007
User Badges:

Hi all

We have a vpn site-to-site with our partner company, we are the vpn client and they are the vpn server because we have 4 pcs that have been configured through our ASA 5505 firewall so that the 4 pcs can access to our partner company remotely. OK here is my question:

If I want to use the function of split tunneling so that the 4 pcs can access the remote site and also access to the internet and our network at the same time. The cofiguration for split tunneling has to be done on the remote site not on the client site, is it correct?

Any help would be much appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Fernando_Meza Sun, 07/08/2007 - 02:56
User Badges:
  • Gold, 750 points or more

Hi .. yes that is correct .. on the client you only configure general values such vpn server ip address, group name and pre-shared key (additional username and password if using extended authentication). when the vpn client contacts the vpn server and these parameters are successfully negotiated, then the vpn server pushes the rest of the configuration to the vpn client.

In summary those changes need to be performed at the vpn server site. Assuming you already have Internet access from behind your ASA5505 when the tunnel is not active .. then no further changes need to be performed on your firewall.

I hope it helps ... please rte it if it does !!!

cal060307 Sun, 07/08/2007 - 15:01
User Badges:

Thanks a lot for your reply.

So if I want to configure the split tunneling it has to be done on the remote or VPN server.

Hhhuummm!!! it is not in my control. I have to contact the IT guy from the VPN server.

I thought since site-to-site VPN we can do at both ends.

Anyway once again thanks a lot for your help.

srue Mon, 07/09/2007 - 04:49
User Badges:
  • Blue, 1500 points or more

If this is a site-to-site VPN, just look at how your crypto ACL's are configured on your 5505. Only the traffic defined by those will go across the tunnel, everything else exits the ASA per the device policy.

If you are using EZVPN, then yes, split tunneling is controlled at the other site.

cal060307 Tue, 07/10/2007 - 02:22
User Badges:


yes it is site-to-site VPN, so you are saying I could do the split tunneling from my end to allow those 4 pcs to have both access i.e. internet and resourse from the remote VPN. Please confirm it, so that I can do research how to configure Split tunneling on site-to-site VPN.

Thanks a lot


This Discussion