Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Exclude 1 host (IP Address) from VPN Tunnel

Hi Experts,

May I ask your help on this?

Current setup:

L2L VPN between site1 and site2

[site1]--------------------[internet]-------------------[site2]

10.0.100.0/24-----------------------------10.0.1.0/24

Planned setup:

L2L VPN between site1 and site2

[site1]--------------------[internet]-------------------[site2]

10.0.100.0/24-----------------------------10.0.1.0/24

with 1 host (10.0.100.50) excluded on the NAT Process for Site-to-site VPN thus NATting him directly to the internet.

Has someone done this before?

I'm planning to add 10.0.100.50 to be denied on the access-list from the VPN Traffic.

Dunno if that will work though.

Hope someone could give their thoughts on this.

Thank you.

Regards,

Jem

Everyone's tags (3)
3 REPLIES
Super Bronze

Exclude 1 host (IP Address) from VPN Tunnel

Hi,

I would imagine that it would be the easiest to simply block this hosts traffic towards the remote site in the interface ACL of this hosts local firewall/vpn device rather than doing this with NAT.

I am not sure what software level you are running and what devices you are using.

If I dont remember wrong, I think you could use "deny" statements in the 8.2 (and below) software levels which would essentially ignore the NAT0 for some hosts while do it for others.

Something like

access-list INSIDE-NAT0 deny ip host 10.0.100.50 10.0.1.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.0.100.0 255.255.255.0 10.0.1.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

The above is just an example.

I dont think this is even possible in the newer 8.3 (and above) software levels as they dont use ACLs for NAT rules anymore.

But again, if limiting access is your aim I would suggest using interface ACL

- Jouni

New Member

Exclude 1 host (IP Address) from VPN Tunnel

Thank for the reply Jouni!

Yes I think I might go with denying that IP address host on the access-list.

Cheers,

Jem

Super Bronze

Exclude 1 host (IP Address) from VPN Tunnel

Hi,

Would have to fire up my ASA running 8.2 to confirm the above NAT0 ACL operation. But again I am not sure if that is the software level you are using.

If the above reply answered your question, please remember to mark the reply as the correct answer.

Feel free to ask more if needed though.

- Jouni

990
Views
3
Helpful
3
Replies
CreatePlease to create content