06-17-2009 10:42 AM - edited 03-11-2019 08:45 AM
I have a scenario where i have a local ASA5520 and several remote ASA5505s running a site to site vpn connection. Currently people will log in over the VPN connection and use their applications needed. The problem is the speed of the connection for viewing training videos. They currently have to go out the hub locations internet connection because of the S2S. I would like to have them go out their local internet connection to view the website and still be able to have the S2S running. Any suggestions?
06-17-2009 12:26 PM
Hi Michael,
You'll want to set up split tunneling so that only certain traffic is sent over the VPN tunnel and the rest uses the local Internet connection. Take a look at this configuration guide below:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
The l2l_list ACL used in the example config says that all traffic from 192.168.0.0/16 to 150.150.0.0/16 will be encrypted and sent over the tunnel (the VPN client adds static routes to the client PC's routing table). Anything else follows the default route in the client PC's routing table, which is likely set for their local Internet connection.
Hope that helps.
-Mike
06-18-2009 10:28 AM
Mike, thanks for the response. To me this seems more geared towards a VPN Client configuration. As i mentioned i have a hub ASA with several remote asa5505s running a L2L. The computers at the locations run through the L2L for network resources and internet. The goal is allow them out to the internet locally while still using the L2L VPN. I configured a split tunnel list but i still can't get it to work. I'll post the config. thanks!
06-18-2009 10:29 AM
06-18-2009 10:52 AM
Hi Michael,
The config you posted looks okay to me. The outside_1_cryptomap ACL should only encrypt traffic from 192.168.8.0/24 to 10.0.0.0/16 and send it over the tunnel. Any traffic destined for the Internet should be translated to your Outside interface IP and routed on to your default gateway.
How can you tell the remote hosts are using the hub location's Internet connection and not their own? My site-to-site VPN config basically matches yours and I see the exact behavior you are looking to achieve.
-Mike
06-18-2009 11:09 AM
i actually figured it out. I change the default route to outside from 0.0.0.0 0.0.0.0 x.x.x.x to 192.168.8.0 255.255.255.0 x.x.x.x. That worked immediately. weird, i figured the standard default route would work.
Thanks for the help, i'm glad the configs looked similar.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: