how to configure split tunnel?

george · ‎09-21-2006

i have configured split tunnel on ASA5510 so that only the traffic that is destined for the other end of IPSec tunnel goes through the tunnel and the rest does not. something like this:

access-list split extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

group-policy <policy> attributes

split-tunnel-network-list value split

now i want to make sure that traffic to one specific host goes also through the tunnel - ie traffic from 10.10.11.0 vpn clients to 123.123.123.123. is it sufficient to add:

access-list split extended permit ip host 123.123.123.123 10.10.11.0 255.255.255.0

or is there something else? also, how about NAT being that 123.123.123.123 is outside of local network? any suggestions?

puagarwa · ‎09-24-2006

firstly, you should use a standard acess-list for split tunneling and not an extended!!

so acess-list should look like:

access-list split standard permit ip 10.10.10.0 255.255.255.0

yes you are right you ave to just add the single host in the split tunneling list.

access-list split standard permit ip host 123.123.123.123

for the traffic to go via outside interface of the ASA for vpn client traffic, you have to add one more command which is as follows:

same-security-traffic permit intra-interface

also you will have to apply nat 0 (outside) for denying the traffic from client pool to that outside host 123.123.123.123

access-list nonatoutside permit ip 10.10.11.0 255.255.255.0 host 123.123.123.123

nat 0 (outside) access-list nonatoutside

george · ‎09-24-2006

thanks for your response. i have a quick question: why is it necesarry/important to use standard access-list as opposed to using extended access-list?