×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

how to configure split tunnel?

Unanswered Question

i have configured split tunnel on ASA5510 so that only the traffic that is destined for the other end of IPSec tunnel goes through the tunnel and the rest does not. something like this:

access-list split extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

group-policy <policy> attributes

split-tunnel-network-list value split


now i want to make sure that traffic to one specific host goes also through the tunnel - ie traffic from 10.10.11.0 vpn clients to 123.123.123.123. is it sufficient to add:

access-list split extended permit ip host 123.123.123.123 10.10.11.0 255.255.255.0

or is there something else? also, how about NAT being that 123.123.123.123 is outside of local network? any suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
puagarwa Sun, 09/24/2006 - 03:20
User Badges:

firstly, you should use a standard acess-list for split tunneling and not an extended!!


so acess-list should look like:

access-list split standard permit ip 10.10.10.0 255.255.255.0


yes you are right you ave to just add the single host in the split tunneling list.


access-list split standard permit ip host 123.123.123.123


for the traffic to go via outside interface of the ASA for vpn client traffic, you have to add one more command which is as follows:


same-security-traffic permit intra-interface


also you will have to apply nat 0 (outside) for denying the traffic from client pool to that outside host 123.123.123.123


access-list nonatoutside permit ip 10.10.11.0 255.255.255.0 host 123.123.123.123


nat 0 (outside) access-list nonatoutside

Actions

This Discussion