Hello,

I have a router setup at a remote site to to connect to HQ (ASA) via VPN IPsec tunnel.

I have a device at the remote site, which I want to exclude from the tunnel (so it can access the internet unfiltered etc). Basically, I guess it's split-tunnelling for a single host.

Just can't get my head around how to do it.

HQ (ASA):

• Public IP: 81.128.123.123

Remote Site (router):

• Public IP: 77.240.123.123
• LAN: 10.11.102.0/24

Device to exclude: 10.11.102.136

The general tunnel works okay (intermittent speed issues, but that's another matter), but as soon as I deny the device's IP in the VPN-TRAFFIC ACL, the device can't get out at all. I assume it;s something to do with NAT, but I'm not so hot with Cisco stuff yet.

Can someone please give me a hand?

ROUTER CONFIG:

Current configuration : 3983 bytes
!
! Last configuration change at 17:25:39 gmt Wed May 10 2017 by ejohnson
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rtr-h000356
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
ip flow-cache timeout active 5
ip domain name my-domain.local
ip name-server 10.11.1.217
ip cef
no ipv6 cef
!
!
object-group network HGL-IPs
host 81.136.123.123
host 81.128.123.123
host 194.75.123.123
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxx address 81.128.123.123
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
set peer 81.128.123.123
set transform-set TS
match address VPN-TRAFFIC
!
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
description link to switch (VLAN192)
switchport access vlan 192
switchport mode trunk
no ip address
!
interface FastEthernet3
description LAN (VLAN102)
switchport access vlan 102
switchport mode trunk
no ip address
!
interface FastEthernet4
description WAN link
ip address 77.240.123.123 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1340
duplex auto
speed auto
no cdp enable
crypto map VPN-TO-HQ
!
interface Vlan1
no ip address
shutdown
!
interface Vlan102
description Site business data
ip address 10.11.102.254 255.255.255.0
ip helper-address 10.11.200.3
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan192
description Voice VLAN
ip address 192.168.1.254 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 1000
!
ip flow-export source FastEthernet4
ip flow-export version 9
ip flow-export destination 10.11.1.226 2055
!
ip nat inside source list NATIN interface FastEthernet4 overload
ip nat inside source static tcp 10.11.102.102 25 interface FastEthernet4 25
ip route 0.0.0.0 0.0.0.0 77.240.123.123
!
ip access-list standard NATIN
permit 192.168.1.100
!
ip access-list extended VPN-TRAFFIC
permit ip 10.11.102.0 0.0.0.255 any