cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1680
Views
0
Helpful
1
Replies

Exclude host from VPN tunnel

Group IT
Level 1
Level 1

Hello,

I have a router setup at a remote site to to connect to HQ (ASA) via VPN IPsec tunnel.

I have a device at the remote site, which I want to exclude from the tunnel (so it can access the internet unfiltered etc). Basically, I guess it's split-tunnelling for a single host.

Just can't get my head around how to do it.

HQ (ASA):

  • Public IP: 81.128.123.123

Remote Site (router):

  • Public IP: 77.240.123.123
  • LAN: 10.11.102.0/24

Device to exclude: 10.11.102.136

The general tunnel works okay (intermittent speed issues, but that's another matter), but as soon as I deny the device's IP in the VPN-TRAFFIC ACL, the device can't get out at all. I assume it;s something to do with NAT, but I'm not so hot with Cisco stuff yet.

Can someone please give me a hand?

ROUTER CONFIG:

Current configuration : 3983 bytes
!
! Last configuration change at 17:25:39 gmt Wed May 10 2017 by ejohnson
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rtr-h000356
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
ip flow-cache timeout active 5
ip domain name my-domain.local
ip name-server 10.11.1.217
ip cef
no ipv6 cef
!
!
object-group network HGL-IPs
host 81.136.123.123
host 81.128.123.123
host 194.75.123.123
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxx address 81.128.123.123
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
set peer 81.128.123.123
set transform-set TS
match address VPN-TRAFFIC
!
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
description link to switch (VLAN192)
switchport access vlan 192
switchport mode trunk
no ip address
!
interface FastEthernet3
description LAN (VLAN102)
switchport access vlan 102
switchport mode trunk
no ip address
!
interface FastEthernet4
description WAN link
ip address 77.240.123.123 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1340
duplex auto
speed auto
no cdp enable
crypto map VPN-TO-HQ
!
interface Vlan1
no ip address
shutdown
!
interface Vlan102
description Site business data
ip address 10.11.102.254 255.255.255.0
ip helper-address 10.11.200.3
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan192
description Voice VLAN
ip address 192.168.1.254 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 1000
!
ip flow-export source FastEthernet4
ip flow-export version 9
ip flow-export destination 10.11.1.226 2055
!
ip nat inside source list NATIN interface FastEthernet4 overload
ip nat inside source static tcp 10.11.102.102 25 interface FastEthernet4 25
ip route 0.0.0.0 0.0.0.0 77.240.123.123
!
ip access-list standard NATIN
permit 192.168.1.100
!
ip access-list extended VPN-TRAFFIC
permit ip 10.11.102.0 0.0.0.255 any

1 Reply 1

Mark Malone
VIP Alumni
VIP Alumni

Hi

did you try this in the order to exclude it from the tunnel and allow it ion the NAT acl

ip access-list standard NATIN
permit 192.168.1.100

permit 10.11.102.136

ip access-list extended VPN-TRAFFIC

deny ip host 10.11.102.136
permit ip 10.11.102.0 0.0.0.255 any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco