Local internet access when using S2S VPN

Unanswered Question
Jun 17th, 2009

I have a scenario where i have a local ASA5520 and several remote ASA5505s running a site to site vpn connection. Currently people will log in over the VPN connection and use their applications needed. The problem is the speed of the connection for viewing training videos. They currently have to go out the hub locations internet connection because of the S2S. I would like to have them go out their local internet connection to view the website and still be able to have the S2S running. Any suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
robertson.michael Wed, 06/17/2009 - 12:26

Hi Michael,

You'll want to set up split tunneling so that only certain traffic is sent over the VPN tunnel and the rest uses the local Internet connection. Take a look at this configuration guide below:


The l2l_list ACL used in the example config says that all traffic from to will be encrypted and sent over the tunnel (the VPN client adds static routes to the client PC's routing table). Anything else follows the default route in the client PC's routing table, which is likely set for their local Internet connection.

Hope that helps.


cowetacoit Thu, 06/18/2009 - 10:28

Mike, thanks for the response. To me this seems more geared towards a VPN Client configuration. As i mentioned i have a hub ASA with several remote asa5505s running a L2L. The computers at the locations run through the L2L for network resources and internet. The goal is allow them out to the internet locally while still using the L2L VPN. I configured a split tunnel list but i still can't get it to work. I'll post the config. thanks!

robertson.michael Thu, 06/18/2009 - 10:52

Hi Michael,

The config you posted looks okay to me. The outside_1_cryptomap ACL should only encrypt traffic from to and send it over the tunnel. Any traffic destined for the Internet should be translated to your Outside interface IP and routed on to your default gateway.

How can you tell the remote hosts are using the hub location's Internet connection and not their own? My site-to-site VPN config basically matches yours and I see the exact behavior you are looking to achieve.


cowetacoit Thu, 06/18/2009 - 11:09

i actually figured it out. I change the default route to outside from x.x.x.x to x.x.x.x. That worked immediately. weird, i figured the standard default route would work.

Thanks for the help, i'm glad the configs looked similar.


This Discussion