internet routing

Unanswered Question
Aug 16th, 2011

Dear Sirs

We would like to configure some internet access route through remote site ISP gateway by using IPSec VPN tunnel. For the rest internet traffic keep using local ISP? Would you please teach me how to configure it?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Maykol Rojas Wed, 08/17/2011 - 12:07

There is nothing very fancy on it. What you need to do is to point the other side network of the VPN to the new ISP connection and put the crypto map on that interface, that will do the trick.

If you have questions, let me know.


raga.fusionet Wed, 08/17/2011 - 12:53

Maykol, I dont think you got Hugo's question. Unfortunately, this setup is not that easy.

Hugo, if I understood correctly, you would like to route some traffic thru the VPN so that it uses the ISP gateway at remote site and still use your local ISP for the rest of the internet traffic right?

Unfortunately and since VPN is based on layer 3 information (IP) this cannot be done unless you have the specific IP address of the Internet hosts you would like to route through the tunnel, that would make it hard because big sites keep on changing their public IPs.

Think of for example, if you wanted to route all the traffic going to thru the tunnel you would need to get all the IP addresses for google, then define your crypto ACLs from your internal networks to Google's IP Addresses and vice versa. That traffic will traverse the tunnel and use the remote site's ISP and the rest of the traffic would stay local. Now when Google start changing its IP addresses you will start having problems (not problems per-se but the traffic for Google's new IP address will be routed using your local ISP).

So as you can see since VPN uses IP Address for the definition of the interesting traffic instead of domains, this would be hard to accomplish and maintain.

I hope this helps.


hugochengym Wed, 08/17/2011 - 17:52


Thanks for your suggestion and that is what I need exactly. May I have to know any reference guide for me to follow?


raga.fusionet Wed, 08/17/2011 - 18:20


If you know the public IP addresses of the sites you plan to tunnel then you can do a regular Lan to Lan Tunnel and put those public IPs on the interesting traffic for the VPN tunnel.

The commands would depend the hardware that use. What kind of devices are you planning to use to build the VPN tunnel?



hugochengym Wed, 08/17/2011 - 18:23

Cisco Adaptive Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5)51

We are using ASA 5510


hugochengym Wed, 08/17/2011 - 18:37


Is that suitable for remote access (VPN Client) but anyway I will try it.


hugochengym Wed, 08/17/2011 - 18:50


It is not help for me with your URL. Our situtation is

Site A: ASA 5510 (Wan IP:

Site B: PC with Cisco VPN Client installed  (IPSec tunnel) (Wan IP:

We would to access for example passing through site A ( by using IPSec tunnel from site B.

For the rest internet traffic, keep using local ISP (


Maykol Rojas Wed, 08/17/2011 - 19:09

Luis Diego/Hugo,

If the traffic is site to site tunnels it will work since you WILL know what are the subnets on the other site of the tunnel.


raga.fusionet Thu, 08/18/2011 - 07:31

Maykol, again this would work only if you know the Public IP addresses of the sites you want to send thru the VPN tunnel, regardless if it is site to site or VPN Clients.


Lets say that Google's IP Addresses are, and Then you would need to send that traffic  thru the VPN tunnel.

Your config would look something like this:

access-list split_tun standard permit host

access-list split_tun standard permit host

access-list split_tun standard permit host

group-policy TEST internal

group-policy TEST attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tun

ip local pool TestPool mask

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

same-security-traffic permit intra-interface

nat (outside) 1

crypto isakmp enable Outside

crypto isakmp policy 10

  authentication pre-share

  encryption 3des

  hash sha    

  group 2

  lifetime 86400

crypto isakmp nat-traversal  20

tunnel-group TEST type ipsec-ra

tunnel-group TEST general-attributes

  address-pool TestPool

  default-group-policy TEST

tunnel-group TEST ipsec-attributes

pre-shared-key cisco123

It would be very similar to this:

Only that instead of tunneling all the internet traffic you will be doing specific IP addresses. BTW with the commands I included above you are only using the VPN route the internet traffic for "Google". If you also need to access the subnet behind the ASA-VPN server (lets say you would need to add something like this:

access-list split_tun standard permit

access-list nonat permit ip

nat (inside) 0 access-l nonat

I hope this helps. Let us if you have any other questions.


Maykol Rojas Thu, 08/18/2011 - 09:16

Luis Diego,

Good point.

If you have a site to site, you must know the Peer IP address and the networks on the other site to encrypt the traffic, dont you? (Except case with dynamic crypto map, of course this falls in the same category of the RA VPNs because of the use of IP addresses that you dont know)

The trick is to point the peers with a route towards the new link, there is no need to discuss, if you know the networks/hosts in order to do so (Normally on Site to Site you do) thats great, otherwise, it wont work.


raga.fusionet Thu, 08/18/2011 - 10:20

Regardless if its VPN Client or site to site you need to know the IP Addresses of the hosts you want to access thru the tunnel (unless you do a full tunnel). Therefore Hugo needs to know the IP addresses of the websites he is planning to route thru the tunnel, that's what I'm trying to say. 

If you just use routing over the internet the traffic will go on clear text, plus you cant route the traffic back to the client's private IP Addresses since those are not routable.

Maykol Rojas Thu, 08/18/2011 - 12:38

If you dont point the private network towards the new ISP, The ASA will use its routing decision towards the old ISP, thus never hitting the crypto map nor encrypting the traffic.

You are totally right... You need to know the IPs... What I am just saying is that it will be easier to do with L2L since normally you do know the IP of the endpoint and the Networks to be encrypted.



This Discussion