Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1254
Views
0
Helpful
2
Replies

Remote access VPN split tunnel query (sort of reverse split tunnel?)

twhittle1
Level 1
Level 1

‎03-05-2014 03:07 AM

Hi,

I have a theory question I was hoping someone could shed some light on...

I am currently playting around with remote access using a 871 router and the Cisco VPN client.

I have it working perfectly for a full tunnel (everything is encrypted and sent over the VPN) and also a split tunnel (where traffic for the main office is sent over the VPN andeverythign else goes out locally). But I've come across a new scenario which has thrown me.

In the above two scenario's I specifiy what traffic goes through the VPN tunnel, for example for the split tunnel ACL I specify the address ranges for the local LAN and this traffic passes through the VPN tunnel, the rest then goes out locally. However my question is now: Is there a way to specify which traffic should not go through the VPN tunnel. I.E.I want traffic for one network (10.0.0.0/8 for example) to go out locally and all other traffic go back back over the tunnel. The scenario is there are some local resources I want clients in the branch to be able to access and all other traffic goes back to the central site. (By the way, I appreciate there is a better way to do this with a site-to-site VPN tunnel between the branch router and the HQ router but in this case I want to do it using VPN clients on laptops at the branch site).

I assumed I could create an ACL which just denied certain traffic and permitted the rest but I've tried this and it doesn't seem to work.

I don't need anyone to give me a working config I'm just trying to understand the theory. Is what I'm asking possible? or does it just not work this way?

Many Thanks,

Tom Whittle

1 person had this problem
Labels:
0 Helpful
2 Replies 2

shamax_1983
Level 3
Level 3

‎03-15-2014 09:14 PM

Hi Tom,

I think this is only possible by adding a specific route on the host level with a lower metric(if needed) pointing the local GW. Don't think there is an automatic way to do this just using VPN client config.

0 Helpful

twhittle1
Level 1
Level 1
In response to shamax_1983

‎03-17-2014 02:10 AM

Hi,

Many thanks for your response. That is a good idea, so actually putting a route into the routing table of the host machine, in my case windows.

I will give this a go.

Thanks again for your help.

Regards,

Tom

0 Helpful
Customers Also Viewed These Support Documents