Use the CMAK to create a connectoid that has the option to not use the remote connection as the default gateway. Deploy that connectoid to your users. If you can't deploy the connectoid, simply have your users edit the properties of the connection thusly: Properties >> Networking Tab >> TCP/IP v4 properties >> Advanced >> Disable "Use default gateway on remote network". Works like a charm.
Alter the ACLs controlling your tunnel policy to permit the traffic:
Site A:
access-list outside_cryptomap_A extended permit ip any object-group site_b_hosts
no access-list outside_cryptomap_A extended permit ip object-group site_a_hosts object-group site_b_hosts
Site B:
access-list outside_cryptomap_B extended permit ip object-group site_b_hosts any
no access-list outside_cryptomap_B extended permit ip object-group site_b_hosts object-group site_a_hosts
Traffic coming through this tunnel will be coming in the outside interface, getting decrypted, and going right back out the outside interface (I hope this works for your web filter!), so you'll need to account for that, too:
(config disclaimer: this is 8.2 config, adjust accordingly)
same-security-traffic permit intra-interface
nat (outside) 1 10.X.X.0 255.255.255.0
With this in place, all traffic will catch the encryption policy and the tunnel will build with local/remote networks of 0.0.0.0/0.
testasa# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 100, local addr: X.X.X.X
access-list outside_cryptomap_A permit ip any object-group site_b_hosts
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.X.X.0/255.255.255.0/0/0)
current_peer: test-endpoint-public
#pkts encaps: 719, #pkts encrypt: 719, #pkts digest: 719
#pkts decaps: 626, #pkts decrypt: 626, #pkts verify: 626
Best Answer
In Vista:
Go into the Control Panel and click the “Network and Sharing Center” icon.
On the left panel of the resulting screen you should see a link, “Manage network connections.” Click it.
The next screen will have icons for all of your connections. There should be one for your VPN. Right-click it and select “Properties” from the menu.
In the “Properties” screen, click the “Networking” tab and then select “Internet Protocol Version 4? and click the “Properties” button.
Click the “Advanced” button. This will bring up a new window where you can un-check “Use default gateway on remote network.”
OK out to save everything.