Is it possible to split tunnel on permanant l2l VPN?

Discussion in 'Cisco' started by LVsFINEST, Apr 24, 2009.

  1. LVsFINEST

    LVsFINEST

    Joined:
    Oct 15, 2008
    Messages:
    8
    Likes Received:
    0
    So here's the scenerio...

    I have a remote user who has a Cisco 881 running 12.4 IOS that connects to our corporate ASA 5510 via IPSEC l2l vpn. He also has a consumer DLink router that he would like to put behind the 881 for his family's PC's. The thing is, he does not want his family's traffic routed through the VPN.

    Hopefully this can be done via the IOS so he doesn't have to resort to other VPN solutions like the Cisco VPN client or EasyVPN.

    Current Config:
    =====================================
    Building configuration...

    Current configuration : 3783 bytes
    !
    version 12.4
    configuration mode exclusive auto
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec localtime show-timezone
    no service password-encryption
    service sequence-numbers
    !
    hostname Cisco881
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 4096 informational
    no logging console
    no logging monitor
    enable secret 5 xxxxxx
    !
    aaa new-model
    !
    !
    !
    !
    aaa session-id common
    clock timezone XXX -X
    clock summer-time XXX recurring
    !
    !
    no ip source-route
    ip dhcp excluded-address 192.168.97.1
    !
    ip dhcp pool inside
    import all
    network 192.168.97.0 255.255.255.0
    default-router 192.168.97.1
    option 150 ip xxx.xxx.xxx.xxx
    dns-server xxx.xxx.xxx.xxx
    !
    !
    ip cef
    no ip bootp server
    ip domain name xxxxxxxxxxxx
    ip name-server xxx.xxx.xxx.xxx
    ip name-server xxx.xxx.xxx.xxx
    !
    !
    !
    !
    username xxx.xxx.xxx.xxx privilege 15 secret 5 xxx.xxx.xxx.xxx
    username xxx.xxx.xxx.xxx secret 5 xxx.xxx.xxx.xxx
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key xxxxxxxxxxxx address xxx.xxx.xxx.xxx
    !
    !
    crypto ipsec transform-set vpn esp-3des esp-sha-hmac
    !
    crypto map CMAP_1 1 ipsec-isakmp
    description Tunnel to xxx.xxx.xxx.xxx
    set peer xxx.xxx.xxx.xxx
    set transform-set vpn
    match address 100
    !
    archive
    log config
    logging enable
    logging size 200
    notify syslog contenttype plaintext
    hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    ip scp server enable
    !
    !
    !
    interface FastEthernet0
    no cdp enable
    !
    interface FastEthernet1
    no cdp enable
    !
    interface FastEthernet2
    no cdp enable
    !
    interface FastEthernet3
    no cdp enable
    !
    interface FastEthernet4
    description WAN - FW_OUTSIDE
    ip address dhcp
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    crypto map CMAP_1
    !
    interface Vlan1
    description LAN - FW_INSIDE
    ip address 192.168.97.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    ip http server
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    !
    !
    ip nat inside source route-map RMAP_1 interface FastEthernet4 overload
    !
    access-list 1 permit 192.168.97.0 0.0.0.255
    access-list 12 remark SNMP Access ACL
    access-list 12 permit xxx.xxx.xxx.xxx 0.0.0.255 log
    access-list 12 remark allow network management subnet
    access-list 12 permit xxx.xxx.xxx.xxx 0.0.0.255 log
    access-list 12 remark allow network monitoring subnet
    access-list 12 deny any log
    access-list 100 permit ip 192.168.97.0 0.0.0.255 any
    access-list 101 remark allow network management subnet
    access-list 101 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 host 0.0.0.0 range 22 telnet log-input
    access-list 101 remark allow network monitoring subnet
    access-list 101 permit tcp host xxx.xxx.xxx.xxx host 0.0.0.0 range 22 telnet log-input
    access-list 101 permit tcp host xxx.xxx.xxx.xxx host 0.0.0.0 range 22 telnet log-input
    access-list 101 deny ip any any log-input

    no cdp run

    !
    !
    !
    route-map RMAP_1 permit 1
    match ip address 100
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    password xxxxxxxxxxx
    no modem enable
    line aux 0
    line vty 0 4
    access-class 101 in
    exec-timeout 15 0
    privilege level 15
    password xxxxxxxxxxx
    transport input ssh
    !
    scheduler max-task-time 5000
    end
    =====================================

    I'm guessing it could be done by just modifying the ACL(s) and/or route-map, but I don't want to block out time for attempting this without getting some sort of confirmation that this is even possible first. I see all kinds of example configs using easyvpn and or a vpn client, but nothing like this (l2l vpn).

    So, is it possible to split traffic using the above config?
     
    LVsFINEST, Apr 24, 2009
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.