https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348446#M342779 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Would have to fire up my ASA running 8.2 to confirm the above NAT0 ACL operation. But again I am not sure if that is the software level you are using.</P><P></P><P>If the above reply answered your question, please remember to mark the reply as the correct answer.</P><P></P><P>Feel free to ask more if needed though.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 19 Sep 2013 06:11:37 GMT Jouni Forss 2013-09-19T06:11:37Z https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348443#M342759 <P>Hi Experts,</P><P></P><P>May I ask your help on this? </P><P></P><P><STRONG>Current setup:</STRONG></P><P><SPAN style="font-size: 10pt;">L2L VPN between site1 and site2</SPAN></P><P>[site1]--------------------[internet]-------------------[site2]</P><P>10.0.100.0/24-----------------------------10.0.1.0/24</P><P></P><P><STRONG>Planned setup:</STRONG></P><P>L2L VPN between site1 and site2</P><P>[site1]--------------------[internet]-------------------[site2]</P><P>10.0.100.0/24-----------------------------10.0.1.0/24</P><P> with 1 host (10.0.100.50) excluded on the NAT Process for Site-to-site VPN thus NATting him directly to the internet.</P><P></P><P>Has someone done this before? </P><P></P><P>I'm planning to add 10.0.100.50 to be denied on the access-list from the VPN Traffic.</P><P>Dunno if that will work though.</P><P></P><P>Hope someone could give their thoughts on this.</P><P></P><P>Thank you.</P><P></P><P></P><P>Regards,</P><P></P><P>Jem</P> Tue, 12 Mar 2019 02:40:33 GMT https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348443#M342759 santiago.jem 2019-03-12T02:40:33Z https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348444#M342761 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would imagine that it would be the easiest to simply block this hosts traffic towards the remote site in the interface ACL of this hosts local firewall/vpn device rather than doing this with NAT.</P><P></P><P>I am not sure what software level you are running and what devices you are using.</P><P></P><P>If I dont remember wrong, I think you could use <STRONG>"deny"</STRONG> statements in the 8.2 (and below) software levels which would essentially ignore the NAT0 for some hosts while do it for others.</P><P></P><P>Something like</P><P></P><P><STRONG>access-list INSIDE-NAT0 deny ip host 10.0.100.50 10.0.1.0 255.255.255.0</STRONG></P><P><STRONG>access-list INSIDE-NAT0 permit ip 10.0.100.0 255.255.255.0 10.0.1.0 255.255.255.0</STRONG></P><P></P><P><STRONG>nat (inside) 0 access-list INSIDE-NAT0</STRONG></P><P></P><P>The above is just an example.</P><P></P><P>I dont think this is even possible in the newer 8.3 (and above) software levels as they dont use ACLs for NAT rules anymore.</P><P></P><P>But again, if limiting access is your aim I would suggest using interface ACL</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 18 Sep 2013 22:13:15 GMT https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348444#M342761 Jouni Forss 2013-09-18T22:13:15Z https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348445#M342769 <HTML><HEAD></HEAD><BODY><P>Thank for the reply Jouni! </P><P></P><P>Yes I think I might go with denying that IP address host on the access-list.</P><P></P><P></P><P>Cheers,</P><P></P><P>Jem</P></BODY></HTML> Thu, 19 Sep 2013 02:13:36 GMT https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348445#M342769 santiago.jem 2013-09-19T02:13:36Z https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348446#M342779 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Would have to fire up my ASA running 8.2 to confirm the above NAT0 ACL operation. But again I am not sure if that is the software level you are using.</P><P></P><P>If the above reply answered your question, please remember to mark the reply as the correct answer.</P><P></P><P>Feel free to ask more if needed though.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 19 Sep 2013 06:11:37 GMT https://community.cisco.com/t5/network-security/exclude-1-host-ip-address-from-vpn-tunnel/m-p/2348446#M342779 Jouni Forss 2013-09-19T06:11:37Z