Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
7
Replies

How can I make protected traffic go over the VPN and the internet not?

jamesgonzo
Level 1
Level 1

‎07-23-2008 07:27 AM - edited ‎02-21-2020 03:50 PM

Hi,

I have a VPN on a DSL line on a remote office which connects to a Cisco ASA where our HQ is. The VPN works fine but any internet page request go over the VPN to the HQ. I would prefer if possiblt to use the routers DSL/ISP to do the internet page request freeing up the tunnel, like splitting the traffic.

Is this possible?

Labels:
23652-VPN router.cfg
0 Helpful
7 Replies 7

acomiskey
Level 10
Level 10

‎07-23-2008 07:30 AM

The following line describes traffic you want to go over the tunnel. Currently it is set to any.

access-list 101 permit ip 172.19.12.0 0.0.0.255 any

Change that to reflect the remote network only.

access-list 101 permit ip 172.19.12.0 0.0.0.255

0 Helpful

jamesgonzo
Level 1
Level 1
In response to acomiskey

‎07-23-2008 07:42 AM

I see, this defines this ACL allowed Crypto traffic. Will I have to add any routes or amend the current default route?

0 Helpful

michael.leblanc
Level 4
Level 4
In response to jamesgonzo

‎07-23-2008 09:34 AM

The crypto map associates a crypto ACL with a peer (crypto endpoint).

If the crypto ACL specifies the specific address space that is behind a peer (i.e.: not using keyword "any"), then your endpoint knows which peer to forward traffic to, in order to reach that address space.

0 Helpful

jamesgonzo
Level 1
Level 1
In response to acomiskey

‎07-23-2008 11:55 AM

I tried:

access-list 101 permit ip 172.19.12.0 0.0.0.255 any

Change that to reflect the remote network only.

access-list 101 permit ip 172.19.12.0 0.0.0.255 192.168.21.0 0.0.0.255

Now I can still access the servers, but nolonger get internet access.

0 Helpful

a.alekseev
Level 7
Level 7

‎07-23-2008 12:18 PM

conf t

interface Vlan1

ip nat inside

interface Dialer1

ip nat outside

ip access-list ext NAT

deny ip host 172.19.12.1 any

deny ip 172.19.12.0 0.0.0.255 remote-vpn-nets

permit ip 172.19.12.0 0.0.0.255 any

ip nat inside source list NAT interface Dialer1 overload

ip address 172.19.12.1 255.255.255.0

0 Helpful

jamesgonzo
Level 1
Level 1
In response to a.alekseev

‎07-24-2008 10:15 AM

Thanks, do I have to reference "remote-vpn-nets" or list every subnet somewhere?

eg:

deny ip 172.19.12.0 0.0.0.255 192.168.30.0 0.0.0.255

deny ip 172.19.12.0 0.0.0.255 192.168.40.0 0.0.0.255

etc?

Plus do I need anything else with "ip address 172.19.12.1 255.255.255.0" as this is already under VLAN 1?

Cheers

0 Helpful

a.alekseev
Level 7
Level 7
In response to jamesgonzo

‎07-24-2008 10:22 AM

you have crypto acl

access-list 101 permit ip 172.19.12.0 0.0.0.255 192.168.21.0 0.0.0.255

you should exclude you vpn traffic from the NAT

conf t

interface Vlan1

ip nat inside

interface Dialer1

ip nat outside

ip access-list ext NAT

deny ip host 172.19.12.1 any

deny ip 172.19.12.0 0.0.0.255 192.168.21.0 0.0.0.255

permit ip 172.19.12.0 0.0.0.255 any

ip nat inside source list NAT interface Dialer1 overload

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents