Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Highlighted
New Member

Site to Site VPN Exclusions

All,

I have a Site to Site VPN setup between 2 x Cisco ASA firewalls.

Site A:

Local Network: 192.168.1.0/24

Remote Network 10.10.0.0/20

Site B:

Local Network: 10.10.0.0/20

Remote Network: 192.168.1.0/24

I have 1 particular host that I don't want to tunnel of 10.10.0.10 within the 10.10.0.0/20 network. How do I exclude this on the VPN tunnel and instead send it out of the default route of the ASA?

Thanks

D

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

you can use a vpn filter;

you can use a vpn filter; deny the traffic that you do not want to pass through the tunnel and allow the rest of the traffic

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.10.0.10 255.255.255.255
access-list VPN-FILTER permit 192.168.1.0 255.255.255.0 10.10.0.0 255.255.240.0

group-policy SITEA internal
group-policy SITEA attributes
 vpn-filter value VPN-FILTER

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
 default-group-policy SITEA
2 REPLIES
Cisco Employee

you can use a vpn filter;

you can use a vpn filter; deny the traffic that you do not want to pass through the tunnel and allow the rest of the traffic

access-list VPN-FILTER deny ip 192.168.1.0 255.255.255.0 10.10.0.10 255.255.255.255
access-list VPN-FILTER permit 192.168.1.0 255.255.255.0 10.10.0.0 255.255.240.0

group-policy SITEA internal
group-policy SITEA attributes
 vpn-filter value VPN-FILTER

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
 default-group-policy SITEA
VIP Purple

The VPN-filter solution will

The VPN-filter solution will not work as the traffic still qualifies for the tunnel.

The deny statement has to be placed in the crypto-ACL that is referenced in the crypto map.

Still, I don't see a reason why this should be done. If the PC communicates to other destinations than 192.168.1.0/24, the traffic won't go to the tunnel. If the destination is 192.168.1.0/24, following the default route will send it typically directly to the internet which doesn't make any sense to a private address as the destination.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
80
Views
0
Helpful
2
Replies
CreatePlease login to create content