Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
625
Views
5
Helpful
4
Replies

exclude networks from L2L vpn tunnel

lmark
Level 1
Level 1

‎10-26-2010 09:24 AM

We have a L2L tunnel between our main site an a branch office.

All traffic from the branch office is sent through the tunnel using

an access list with "any" as destination:

access-list tunnel-acl  extended permit ip 10.0.1.0 255.255.255.0 any

...

crypto map outside-map 10 match address tunnel-acl

...

The branch is located on a uni campus. Now we have the demand

to access a private network on the uni campus.

Is there a way to exclude a special network from the vpn tunnel?

Regards,

Mark

Labels:
0 Helpful
4 Replies 4

lmark
Level 1
Level 1

‎10-27-2010 12:21 AM

The tunnel end points are two ASA5510.

For remote-access tunnels one can define a

list of networks to be excluded for split-tunneling.

I wonder how this can be realized for l2l tunnels?

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee

‎10-27-2010 04:22 AM

You can try a deny line as the first line in the ACL - though we  typically don't recommend this.  There is no 'split tunneling' with L2L,  as your crypto ACL controls what you are sending.

You  could also just be specific in the ACL for the networks you need -  instead of putting 'any', put just the networks that need to be accessed  and exclude the ones (like the one you don't want encrypted) from that  ACL.  This is usually what's done with L2L tunnels.

ie:

access-list tunnel-acl  extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list tunnel-acl  extended permit ip 10.0.1.0 255.255.255.0 11.11.11.0 255.255.255.0

And this way you only encrypt the traffic that you want to encrypt, instead of all traffic.

--Jason

lmark
Level 1
Level 1
In response to Jason Gervia

‎10-27-2010 08:57 AM

> You can try a deny line as the first line in the ACL - though we   typically don't recommend this.

cool, I will try it. I guess that the deny rule is only needed at the branch asa.

We have to keep the "any"-rule because also the internet traffic

should go through the tunnel.

0 Helpful

Kelvin Willacey
Level 4
Level 4
In response to lmark

‎10-27-2010 11:33 AM

lmark you can utilize the vpn filter feature you use on your remote access vpns on your l2l as well.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents