06-02-2014 08:49 AM - edited 03-11-2019 09:16 PM
A remote site has easy vpn enabled on its firewall connected to the main site, currently all traffic is routed from the remote site to the main site. How can I only route a certain subnet from a remote site to the main site and all other traffic goes straight out from that remote site? I do not want to break the connection of the other remote site easy vpn connections. Thanks.
Solved! Go to Solution.
06-02-2014 11:25 AM
I don't think you can have a single Easy VPN headend with some remote sites tunneling all and others split tunneling. That's kind of against the concept of it being "easy" (i.e. very standardized and automatically setup).
If you want the one site to be split tunnel, you can use a standard IPsec VPN and match interesting traffic according to a crypto map and access-list specific to that site.
06-02-2014 09:49 AM
Are you using IOS router as the Easy VPN server? In such a setup, the split tunneling for the clients (e.g. your remote site) is pushed by use of an ACL on the headend.
There an example here that shows such a setup. (It's acl 150 under the "crypto isakmp client configuration group branch" section of the primary Cisco Easy VPN Server configuration.
06-02-2014 11:16 AM
No, the easy vpn server is an ASA. Is there an option on that config to specify what remote site traffic not to tunnel, instead of using the tunnelall command?
I have many remote sites connected to the easy vpn server using "tunnelall" but want to make a change on a remote site to have a certain network not to be tunneled for that remote site and do not want to interrupt the other connected sites. I'm using CWS.
06-02-2014 11:25 AM
I don't think you can have a single Easy VPN headend with some remote sites tunneling all and others split tunneling. That's kind of against the concept of it being "easy" (i.e. very standardized and automatically setup).
If you want the one site to be split tunnel, you can use a standard IPsec VPN and match interesting traffic according to a crypto map and access-list specific to that site.
06-02-2014 11:31 AM
so then how would I enable all remote easy vpn site to only tunnel one subnet each and all other traffic out? Is it possible?
06-02-2014 12:00 PM
Standard IPsec if more my forte but I suppose if the acl setup on the headend included all of the subnet pairs you want to/from the remote sites it should work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: