Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Help with site-to-site VPN - need to route smoe traffic to internet

Hello,

I have configured a site-to-site VPN over a DSL as a remote location to our corp ASA.  It all seems to be working and the DSL site can access the many subnets we have, however we have a requirement where we need some hard coded devices on the DSL to get to a web site as 80.171.156.78 which is off our corp ASA and I want it to go over the Internet rather that through the VPN as I'd have to do something with NAT to allow this public to be accessible 'internally' through the VPN.

See these handheld devices are hardcoded to get to 80.171.156.78 so they can use their 3G or home wifi to get there, now we have a VPN and have installed wifi, so they connect and try and get to 80.171.156.60 through the VPN, so I wanted to see if I can do some split tunneling?

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ciscodsl

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

!

!

dot11 syslog

ip source-route

!

!

no ip dhcp use vrf connected

!

ip dhcp pool my-Pool

   network 192.168.200.0 255.255.255.0

   default-router 192.168.200.1

   dns-server 192.168.21.10 192.168.21.11

!

!

ip cef

ip domain name AW

ip name-server 4.2.2.2

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

crypto isakmp policy 100

encr *

authentication pre-share

crypto isakmp key **** address 80.171.156.*

!

crypto ipsec security-association lifetime seconds 1800

!

crypto ipsec transform-set AW-TSET *

!

crypto map AWCCNP 321 ipsec-isakmp

set peer 80.171.156.*

set transform-set AW-TSET

set pfs *

match address 123

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

spanning-tree portfast

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface Vlan1

ip address 192.168.200.1 255.255.255.0

ip virtual-reassembly

!

interface Vlan11

ip address 11.11.11.1 255.255.255.0

!

interface Dialer1

ip address negotiated

ip access-group inbound in

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname *

ppp chap password 0 *

ppp pap sent-username *

ppp ipcp dns request

crypto map AWCCNP

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

!

ip access-list extended inbound

permit ahp host 80.171.156.60 any log

permit esp host 80.171.156.60 any log

permit udp host 80.171.156.60 any eq isakmp log

permit udp host 80.171.156.60 any eq non500-isakmp log

deny   icmp any any timestamp-request log

deny   icmp any any timestamp-reply log

permit icmp any any log

permit udp host 158.43.128.33 any eq ntp log

permit tcp host 80.171.156.60 any eq telnet log

permit tcp host 80.171.156.60 any eq 22 log

permit tcp host 80.171.156.60 any eq ftp-data log

permit tcp host 80.171.156.60 any eq ftp log

permit tcp host 80.171.156.60 any eq www log

permit tcp host 80.171.156.60 any eq 443 log

deny   ip any any log

!

access-list 23 permit 80.171.156.60

access-list 123 permit ip 192.168.200.0 0.0.0.255 any log

!

!

!

!

!

control-plane

!

!

line con 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

access-class 23 in

logging synchronous

login local

transport input ssh

!

scheduler max-task-time 5000

end

Thanks

119
Views
0
Helpful
0
Replies
CreatePlease to create content