Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
5
Replies

Split tunnel vpn and access rule

Go to solution
tolinrome tolinrome
Level 1
Level 1

‎06-02-2014 08:49 AM - edited ‎03-11-2019 09:16 PM

A remote site has easy vpn enabled on its firewall connected to the main site, currently all traffic is routed from the remote site to the main site. How can I only route a certain subnet from a remote site to the main site and all other traffic goes straight out from that remote site? I do not want to break the connection of the other remote site easy vpn connections. Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tolinrome tolinrome

‎06-02-2014 11:25 AM

I don't think you can have a single Easy VPN headend with some remote sites tunneling all and others split tunneling.  That's kind of against the concept of it being "easy" (i.e. very standardized and automatically setup).

If you want the one site to be split tunnel, you can use a standard IPsec VPN and match interesting traffic according to a crypto map and access-list specific to that site.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-02-2014 09:49 AM

Are you using IOS router as the Easy VPN server? In such a setup, the split tunneling for the clients (e.g. your remote site) is pushed by use of an ACL on the headend.

There an example here that shows such a setup. (It's acl 150 under the "crypto isakmp client configuration group branch" section of the primary Cisco Easy VPN Server configuration.

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to Marvin Rhoads

‎06-02-2014 11:16 AM

No, the easy vpn server is an ASA. Is there an option on that config to specify what remote site traffic not to tunnel, instead of using the tunnelall command?

I have many remote sites connected to the easy vpn server using "tunnelall" but want to make a change on a remote site to have a certain network not to be tunneled for that remote site and do not want to interrupt the other connected sites. I'm using CWS.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tolinrome tolinrome

‎06-02-2014 11:25 AM

I don't think you can have a single Easy VPN headend with some remote sites tunneling all and others split tunneling.  That's kind of against the concept of it being "easy" (i.e. very standardized and automatically setup).

If you want the one site to be split tunnel, you can use a standard IPsec VPN and match interesting traffic according to a crypto map and access-list specific to that site.

0 Helpful

Go to solution
tolinrome tolinrome
Level 1
Level 1
In response to Marvin Rhoads

‎06-02-2014 11:31 AM

so then how would I enable all remote easy vpn site to only tunnel one subnet each and all other traffic out? Is it possible?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tolinrome tolinrome

‎06-02-2014 12:00 PM

Standard IPsec if more my forte but I suppose if the acl setup on the headend included all of the subnet pairs you want to/from the remote sites it should work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card