Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2775
Views
3
Helpful
3
Replies

Exclude 1 host (IP Address) from VPN Tunnel

santiago.jem
Level 1
Level 1

‎09-18-2013 03:02 PM - edited ‎03-11-2019 07:40 PM

Hi Experts,

May I ask your help on this?

Current setup:

L2L VPN between site1 and site2

[site1]--------------------[internet]-------------------[site2]

10.0.100.0/24-----------------------------10.0.1.0/24

Planned setup:

L2L VPN between site1 and site2

[site1]--------------------[internet]-------------------[site2]

10.0.100.0/24-----------------------------10.0.1.0/24

with 1 host (10.0.100.50) excluded on the NAT Process for Site-to-site VPN thus NATting him directly to the internet.

Has someone done this before?

I'm planning to add 10.0.100.50 to be denied on the access-list from the VPN Traffic.

Dunno if that will work though.

Hope someone could give their thoughts on this.

Thank you.

Regards,

Jem

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎09-18-2013 03:13 PM

Hi,

I would imagine that it would be the easiest to simply block this hosts traffic towards the remote site in the interface ACL of this hosts local firewall/vpn device rather than doing this with NAT.

I am not sure what software level you are running and what devices you are using.

If I dont remember wrong, I think you could use "deny" statements in the 8.2 (and below) software levels which would essentially ignore the NAT0 for some hosts while do it for others.

Something like

access-list INSIDE-NAT0 deny ip host 10.0.100.50 10.0.1.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.0.100.0 255.255.255.0 10.0.1.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

The above is just an example.

I dont think this is even possible in the newer 8.3 (and above) software levels as they dont use ACLs for NAT rules anymore.

But again, if limiting access is your aim I would suggest using interface ACL

- Jouni

santiago.jem
Level 1
Level 1
In response to Jouni Forss

‎09-18-2013 07:13 PM

Thank for the reply Jouni!

Yes I think I might go with denying that IP address host on the access-list.

Cheers,

Jem

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to santiago.jem

‎09-18-2013 11:11 PM

Hi,

Would have to fire up my ASA running 8.2 to confirm the above NAT0 ACL operation. But again I am not sure if that is the software level you are using.

If the above reply answered your question, please remember to mark the reply as the correct answer.

Feel free to ask more if needed though.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card