I have a scenario where i have a local ASA5520 and several remote ASA5505s running a site to site vpn connection. Currently people will log in over the VPN connection and use their applications needed. The problem is the speed of the connection for viewing training videos. They currently have to go out the hub locations internet connection because of the S2S. I would like to have them go out their local internet connection to view the website and still be able to have the S2S running. Any suggestions?
The l2l_list ACL used in the example config says that all traffic from 192.168.0.0/16 to 220.127.116.11/16 will be encrypted and sent over the tunnel (the VPN client adds static routes to the client PC's routing table). Anything else follows the default route in the client PC's routing table, which is likely set for their local Internet connection.
Mike, thanks for the response. To me this seems more geared towards a VPN Client configuration. As i mentioned i have a hub ASA with several remote asa5505s running a L2L. The computers at the locations run through the L2L for network resources and internet. The goal is allow them out to the internet locally while still using the L2L VPN. I configured a split tunnel list but i still can't get it to work. I'll post the config. thanks!
The config you posted looks okay to me. The outside_1_cryptomap ACL should only encrypt traffic from 192.168.8.0/24 to 10.0.0.0/16 and send it over the tunnel. Any traffic destined for the Internet should be translated to your Outside interface IP and routed on to your default gateway.
How can you tell the remote hosts are using the hub location's Internet connection and not their own? My site-to-site VPN config basically matches yours and I see the exact behavior you are looking to achieve.
i actually figured it out. I change the default route to outside from 0.0.0.0 0.0.0.0 x.x.x.x to 192.168.8.0 255.255.255.0 x.x.x.x. That worked immediately. weird, i figured the standard default route would work.
Thanks for the help, i'm glad the configs looked similar.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :