Cisco VPN Traffic

[cisco222]

Hey Guys,

Hope you can help

I have a site to site VPN setup (IPSEC) which seems to be all working well between 2 ASA'S.
A site in Manchester and London. I want to ensure that the Manchester ASA is not sending all internet traffic to London and back again and just uses it locally. What type of access list would i define in Manchester for this to happen so all traffic for browsing the internet doesn't go over the vpn and uses the local connection.

Thanks

J

 

[unclerico]

your crypto acl's that you define for interesting traffic determine what is sent across the vpn tunnel and what is not. if site 1 has local network of 192.168.1/24 and site 2 has local network of 192.168.2/24, then site 1 would have a crypto acl along the lines of access-list site1_site2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 and site 2 would have the mirror opposite access-list site2_site1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0. depending on what version of code you are running your nat exemption acl's will exempt the traffic from the NAT process (NAT configs from code < 8.3 is a lot different than NAT configs > 8.3). your crypto acl's and NAT exemption configs will keep traffic destined from the internet from crossing the VPN tunnel.

 

[cisco222]

Thanks for this. Made it nice and easy to understand.