I've set up a S2S VPN on our perimeter ASA 5525x that tunnels traffic from certain source IPs going to any public IP, so far a pretty simply setup once all the public IP subnets had been defined in objects and then assigned to an object group, the VPN is up and working no problems.

The issue is that this sends all traffic from the source IPs going external over the VPN but I only want to tunnel http & https traffic, all other ports should traverse the ASA un-encrypted.

I did try to do this by modifying the crypto map ACL so it only included ports 80 & 443, then create a No NAT statement that only included ports 80 & 443, config below (80 & 443 in the nat statement are objects for the respective ports);

access-list outside_cryptomap extended permit tcp object-group INTERNAL_IPs object-group EXTERNAL_IPs eq 80
access-list outside_cryptomap extended permit tcp object-group INTERNAL_IPs object-group EXTERNAL_IPs eq 443
nat (inside,outside) source static INTERNAL_IPs INTERNAL_IPs destination static EXTERNAL_IPs EXTERNAL_IPs service 80 80 no-proxy-arp
nat (inside,outside) source static INTERNAL_IPs INTERNAL_IPs destination static EXTERNAL_IPs EXTERNAL_IPs service 443 443 no-proxy-arp 

Doing this seemed to cause the firewalls CPU to go through the roof and after a few SSH sessions hanging I eventually couldn't SSH back on to the device, I had to force a failover from the standby device (seems like the config above hadn't been sync'd to the standby unit) and then power cycle the original active device before it started responding again.

Thankfully there was no loss of end user services but as this is our production firewall a bit reluctant to try it again.

Just wondering if anyone has done what I'm trying to do and did you doing differently to how I tried it?

ASA's are on version 9.12(4)67 

Thanks