Solved: Re: Easy VPN - excluded network list

Michael Adams · ‎05-29-2012

Excluded Network List does not seem to be valid for hardware clients.

I need to do a site to site vpn with one side being dynamic ip'd and tunnel everything except a single destination. I am not able to find any information on this ... I can setup easy vpn and get it tunneling everything but I need to excluded a certain destination

rizwanr74 · ‎05-29-2012

In the no-nat acl and split-tunnel acl, you can add at very first lines to deny excluded the subnets or ip-hosts that you do not want to go via the tunnel and permit all ip ranges from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

Have you tried this, method?

Thanks

Rizwan Rafeek

View solution in original post

rizwanr74 · ‎05-29-2012

Since you want to push everything into the tunnel, except seleted segment exclused from the tunnel, you do not need split-tunnel to begin with. Therefore you can include the denies lines for excluded subnets or hosts in the no-nat ACL alone.

What is included in the no-nat ACL the permits will be injected for remote-hardware-client's tunnel and likewise the denies in the ACL (i.e. no-nat) will be excluded from going into the tunnel from remote-hardware-client into the tunnel itself.

I hope that make sense.

Look forward to hear from you.

Thanks

Rizwan Rafeek.

View solution in original post

rizwanr74 · ‎05-29-2012

HI Micheal,

You include the networks in the no-nat and split-tunnel ACL, so that your client tunnel will includes only networks you

included in the no-nat ACL and split-tunnel ACL.

access−list no−nat extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access−list ezvpn1 extended permit ip 172.22.1.0 255.255.255.0 172.16.1.0 255.255.255.0

group−policy myGROUP internal

group−policy myGROUP attributes

split−tunnel−policy tunnelspecified

split−tunnel−network−list value ezvpn1

MyASA#show crypto ipsec sa

interface: outside

Crypto map tag: myDYN−MAP, seq num: 5, local addr: 10.20.20.1

local ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

current_peer: 10.10.10.1, username: cisco

dynamic allocated peer ip: 0.0.0.0

Hop this helps.

thanks

Rizwan Rafeek

Michael Adams · ‎05-29-2012

I need to tunnel everything except a specified destination.. maybe a route-map?? excluded-list does not work for a hardware client using easyvpn

Remote site, need to tunnel all internet traffic through VPN to HQ and route through web filter. However we have voip phones there that go elsewhere... ASA 5505 hardware client easy vpn back to HQ 5505

How would you design this ?

Example:

Remote Site 1 ->> internet --> HQ 5505 - all internet traffic needs to come here..

Remote Site 1 ->> internet ->> voip provider -- all sip traffic needs to go here.

There should be no local lan access.

rizwanr74 · ‎05-29-2012

In the no-nat acl and split-tunnel acl, you can add at very first lines to deny excluded the subnets or ip-hosts that you do not want to go via the tunnel and permit all ip ranges from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

Have you tried this, method?

Thanks

Rizwan Rafeek

Michael Adams · ‎05-29-2012

rizwanr74

Yes I have, split tunnel acl's do not accept deny they are based on the source IP only. With ezvpn the configuration is pushed to the client device, however hardware clients do not allow local lan access to be enabled and therefore not using the excluded list.

rizwanr74 · ‎05-29-2012

Since you want to push everything into the tunnel, except seleted segment exclused from the tunnel, you do not need split-tunnel to begin with. Therefore you can include the denies lines for excluded subnets or hosts in the no-nat ACL alone.

What is included in the no-nat ACL the permits will be injected for remote-hardware-client's tunnel and likewise the denies in the ACL (i.e. no-nat) will be excluded from going into the tunnel from remote-hardware-client into the tunnel itself.

I hope that make sense.

Look forward to hear from you.

Thanks

Rizwan Rafeek.

Michael Adams · ‎05-29-2012

It does... I'll give it a shot..

access-list inside_nat0_outbound extended deny ip any host

nope, no go.

rizwanr74 · ‎05-29-2012

Have you tried on the hardware client a static-route to push certian traffic to specific ip address, instead to EasyVPN Server's address?

Michael Adams · ‎05-29-2012

deny in the no nat worked

Michael Adams · ‎06-04-2012

Ok, so that didnt work actually.

the no nat does not work and the site is a dynamic ip which doesnt allow me to configure a static route to the outside interface due to setroute? After doing some research I dont see easyvpn allowing the nonat to be pushed to the hardware client and strictly relies on the split tunnel acl

any further assistance would be much appreciated

Michael Adams · ‎06-13-2012

This was solved by not using easy vpn. but instead using a dynamic vpn configuration