cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
430
Views
0
Helpful
5
Replies

Local internet access when using S2S VPN

cowetacoit
Level 1
Level 1

I have a scenario where i have a local ASA5520 and several remote ASA5505s running a site to site vpn connection. Currently people will log in over the VPN connection and use their applications needed. The problem is the speed of the connection for viewing training videos. They currently have to go out the hub locations internet connection because of the S2S. I would like to have them go out their local internet connection to view the website and still be able to have the S2S running. Any suggestions?

5 Replies 5

Hi Michael,

You'll want to set up split tunneling so that only certain traffic is sent over the VPN tunnel and the rest uses the local Internet connection. Take a look at this configuration guide below:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html

The l2l_list ACL used in the example config says that all traffic from 192.168.0.0/16 to 150.150.0.0/16 will be encrypted and sent over the tunnel (the VPN client adds static routes to the client PC's routing table). Anything else follows the default route in the client PC's routing table, which is likely set for their local Internet connection.

Hope that helps.

-Mike

Mike, thanks for the response. To me this seems more geared towards a VPN Client configuration. As i mentioned i have a hub ASA with several remote asa5505s running a L2L. The computers at the locations run through the L2L for network resources and internet. The goal is allow them out to the internet locally while still using the L2L VPN. I configured a split tunnel list but i still can't get it to work. I'll post the config. thanks!

Remote ASA config

Hi Michael,

The config you posted looks okay to me. The outside_1_cryptomap ACL should only encrypt traffic from 192.168.8.0/24 to 10.0.0.0/16 and send it over the tunnel. Any traffic destined for the Internet should be translated to your Outside interface IP and routed on to your default gateway.

How can you tell the remote hosts are using the hub location's Internet connection and not their own? My site-to-site VPN config basically matches yours and I see the exact behavior you are looking to achieve.

-Mike

i actually figured it out. I change the default route to outside from 0.0.0.0 0.0.0.0 x.x.x.x to 192.168.8.0 255.255.255.0 x.x.x.x. That worked immediately. weird, i figured the standard default route would work.

Thanks for the help, i'm glad the configs looked similar.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: