Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
3
Replies

site-to-site: exclude single IP

Go to solution
michaely360
Level 1
Level 1

‎10-06-2016 08:16 AM - edited ‎03-12-2019 01:21 AM

Hi,

I inherited a setup with an ASA 5505 (running 9.1) at the remote site (Site B) connected via a site-to-site VPN to a firewall in our main site (Site A). This is the first Cisco device I have managed so I'm using the ADSM interface.

Under Site-to-Site VPN > ACL Manager I see rules for permitting all traffic from Site B to Site A.

In Site A we host a web service which is available via a public IP. This service is sensitive to network connectivity but because the VPN isn't very stable (due to a poor internet connection at Site B) I'd rather send requests for that service over the internet, rather than through the VPN tunnel. How can I do this?

Lastly, the internal DNS at Site B will resolve our web service to an internal IP (eg 192.168.0.10). So I presume I also need to do some NAT translation to get it to target the public IP?

Any help greatly appreciated.

Michael.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Pawan Raut
Level 4
Level 4

‎10-06-2016 09:54 PM

First if you want access site A web service host from site B over VPN then you have to do the NAT for web service host with Public IP.

Also you want o exclude that IP  (eg 192.168.0.10) from VPN then use deny statement at top in vpn acl for IP that IP  (eg 192.168.0.10)

View solution in original post

0 Helpful

Go to solution
Pawan Raut
Level 4
Level 4
In response to michaely360

‎10-07-2016 12:20 AM

Apart from ASDM logs You can test it with packet tracer on Firewall as well.

Kindly rate for useful post please.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Pawan Raut
Level 4
Level 4

‎10-06-2016 09:54 PM

First if you want access site A web service host from site B over VPN then you have to do the NAT for web service host with Public IP.

Also you want o exclude that IP  (eg 192.168.0.10) from VPN then use deny statement at top in vpn acl for IP that IP  (eg 192.168.0.10)

0 Helpful

Go to solution
michaely360
Level 1
Level 1
In response to Pawan Raut

‎10-06-2016 11:57 PM

Thanks. I'll create the NAT rule first, then add the 'exclude' rule to the VPN.

Is there a way to test or check logs to see whether its working from within ADSM?

0 Helpful

Go to solution
Pawan Raut
Level 4
Level 4
In response to michaely360

‎10-07-2016 12:20 AM

Apart from ASDM logs You can test it with packet tracer on Firewall as well.

Kindly rate for useful post please.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card