07-23-2008 07:27 AM - edited 02-21-2020 03:50 PM
Hi,
I have a VPN on a DSL line on a remote office which connects to a Cisco ASA where our HQ is. The VPN works fine but any internet page request go over the VPN to the HQ. I would prefer if possiblt to use the routers DSL/ISP to do the internet page request freeing up the tunnel, like splitting the traffic.
Is this possible?
07-23-2008 07:30 AM
The following line describes traffic you want to go over the tunnel. Currently it is set to any.
access-list 101 permit ip 172.19.12.0 0.0.0.255 any
Change that to reflect the remote network only.
access-list 101 permit ip 172.19.12.0 0.0.0.255
07-23-2008 07:42 AM
I see, this defines this ACL allowed Crypto traffic. Will I have to add any routes or amend the current default route?
07-23-2008 09:34 AM
The crypto map associates a crypto ACL with a peer (crypto endpoint).
If the crypto ACL specifies the specific address space that is behind a peer (i.e.: not using keyword "any"), then your endpoint knows which peer to forward traffic to, in order to reach that address space.
07-23-2008 11:55 AM
I tried:
access-list 101 permit ip 172.19.12.0 0.0.0.255 any
Change that to reflect the remote network only.
access-list 101 permit ip 172.19.12.0 0.0.0.255 192.168.21.0 0.0.0.255
Now I can still access the servers, but nolonger get internet access.
07-23-2008 12:18 PM
conf t
interface Vlan1
ip nat inside
interface Dialer1
ip nat outside
ip access-list ext NAT
deny ip host 172.19.12.1 any
deny ip 172.19.12.0 0.0.0.255 remote-vpn-nets
permit ip 172.19.12.0 0.0.0.255 any
ip nat inside source list NAT interface Dialer1 overload
ip address 172.19.12.1 255.255.255.0
07-24-2008 10:15 AM
Thanks, do I have to reference "remote-vpn-nets" or list every subnet somewhere?
eg:
deny ip 172.19.12.0 0.0.0.255 192.168.30.0 0.0.0.255
deny ip 172.19.12.0 0.0.0.255 192.168.40.0 0.0.0.255
etc?
Plus do I need anything else with "ip address 172.19.12.1 255.255.255.0" as this is already under VLAN 1?
Cheers
07-24-2008 10:22 AM
you have crypto acl
access-list 101 permit ip 172.19.12.0 0.0.0.255 192.168.21.0 0.0.0.255
you should exclude you vpn traffic from the NAT
conf t
interface Vlan1
ip nat inside
interface Dialer1
ip nat outside
ip access-list ext NAT
deny ip host 172.19.12.1 any
deny ip 172.19.12.0 0.0.0.255 192.168.21.0 0.0.0.255
permit ip 172.19.12.0 0.0.0.255 any
ip nat inside source list NAT interface Dialer1 overload
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: