Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
2
Replies

Site to Site VPN Exclusions

Go to solution
drbabbers
Level 3
Level 3

‎12-16-2015 04:19 AM

All,

I have a Site to Site VPN setup between 2 x Cisco ASA firewalls.

Site A:

Local Network: 192.168.1.0/24

Remote Network 10.10.0.0/20

Site B:

Local Network: 10.10.0.0/20

Remote Network: 192.168.1.0/24

I have 1 particular host that I don't want to tunnel of 10.10.0.10 within the 10.10.0.0/20 network. How do I exclude this on the VPN tunnel and instead send it out of the default route of the ASA?

Thanks

D

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎12-16-2015 05:43 AM

you can use a vpn filter; deny the traffic that you do not want to pass through the tunnel and allow the rest of the traffic

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.10.0.10 255.255.255.255
access-list VPN-FILTER permit 192.168.1.0 255.255.255.0 10.10.0.0 255.255.240.0

group-policy SITEA internal
group-policy SITEA attributes
 vpn-filter value VPN-FILTER

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
 default-group-policy SITEA

View solution in original post

0 Helpful
2 Replies 2

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎12-16-2015 05:43 AM

you can use a vpn filter; deny the traffic that you do not want to pass through the tunnel and allow the rest of the traffic

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.10.0.10 255.255.255.255
access-list VPN-FILTER permit 192.168.1.0 255.255.255.0 10.10.0.0 255.255.240.0

group-policy SITEA internal
group-policy SITEA attributes
 vpn-filter value VPN-FILTER

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
 default-group-policy SITEA
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to pjain2

‎12-16-2015 07:20 AM

The VPN-filter solution will not work as the traffic still qualifies for the tunnel.

The deny statement has to be placed in the crypto-ACL that is referenced in the crypto map.

Still, I don't see a reason why this should be done. If the PC communicates to other destinations than 192.168.1.0/24, the traffic won't go to the tunnel. If the destination is 192.168.1.0/24, following the default route will send it typically directly to the internet which doesn't make any sense to a private address as the destination.

0 Helpful
Customers Also Viewed These Support Documents