Hi bsternfield,

bsternfield · ‎02-27-2017

I have site-site IpSec VPN tunnels configured between remote sites running 881 routers to our central office ASA5510. We currently proxy all web traffic through a proxy server at the central site. We need to use an application that uses RDP to connect to an internet site, which the proxy server won't handle. Is there a way to exclude one internet destination address from being tunneled at the remote end?

JP Miranda Z · ‎02-27-2017

Hi bsternfield,

You can try adding a deny as a first line on the interesting traffic of the tunnel for this specific traffic on the Router is supposed to initiate this traffic:

ip access-list extended interestingtraffic

10 deny ip <inside network> <mask> host <rdpserver>

20 permit ip <inside network> <mask> any

This is only an example of what you can try to do in order to bypass the tunnel for this specific traffic.

Hope this info helps!!

Rate if helps you!!

-JP-

bsternfield · ‎02-28-2017

Thanks. I tried adding the deny to the access list for tunneled traffic. I also added a NAT translation for the network we need to access the rdp server from. It's still not working.

JP Miranda Z · ‎03-06-2017

Hi bsternfield,

From the VPN perspective that should work, can you make sure the nat you created to bypass the tunnel is working? you can check the ip nat translations and see if is actually working.

Hope this info helps!!

Rate if helps you!!

-JP-

IpSec VPN split tunnel to single internet address