Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing help


I've got a VPN connected between my head office and a small remote office. All works except the remote office can't get onto the internet.

I assume be default the internet traffic from the remote office will travel down the VPN. So I wondered what the next step is?

I have attached the configuratio of the remote offices Cisco 877. The 877 VPN's to a Cisco ASA 5520. The ASA is also the where the internet should be accessed by. The ASA's outside interface connects to our internet router.

On the ASA I have added on the inside a permit rule for to any on http/https and UDP domain.


Re: Routing help

In the config all I see for the tunnel access is:

access-list 101 remark SDM_ACL Category=20

access-list 101 permit ip

access-list 101 permit ip

access-list 101 permit ip

These are the only networks this tunnel is allowed to access.

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key 12345 address



crypto ipsec transform-set MY_T_Set esp-aes 256 esp-sha-hmac


crypto map MY_Crypto_Map 10 ipsec-isakmp

set peer

set security-association lifetime seconds 28800

set transform-set MY_T_Set

set pfs group5

match address 101 <---ACL to match

If you need the remote site to access other resources you will need to add it there I believe.

New Member

Re: Routing help

So will I have to remove my 3 subnets and replace with:

access-list 101 permit ip any

I really just wanted those subnets and the internet over the tunnel.


Re: Routing help

One thing I would do is be very basic in the ACL to find out if that is the issue.

One way to do this would be to do as you suggest. This would take all traffic from that subnet and allow access to anything. If that works you can get more granular in the settings. One question, if the site has an internet connection, why have the internet traffic go through the tunnel then out the head office connection, why not split traffic. All business traffic to the office go through the tunnel and then all other traffic go out the internet?

New Member

Re: Routing help

I will try this and get back to you.

A couple of things though,

1.) How could I split the traffic just for my knowledge?

2.) Also my company requires all web traffic comes through our HQ's internet pipe so we can monitor users web traffic and block sites etc. I can't see how I can get more granular and I would need the "any" for the destination as they would need to get to any internet sites?

3.) I have Cisco Client VPN users coming into the ASA and they can access the Internet through the tunnel all I had to do was add a dynamic nat onto the outside interface of the ASA, does client VPN's work different to the site-to-site VPN's?