Excluding a portion of interesting traffic from Cisco cryptomap

[macrospect]

Hi all! Its been a long time since I have posted on these forums but I am banging my head against the desk with this one. I was hoping one of you CCNA folks would read this. I have a Cisco ASA with the newest IOS on it and a VPN which is NAT'ed to one of my remote sites. For argument sake lets say that the remote site is public and is hosted on the entire 80.x.x.x range. The terminating endpoint for my VPN on the remote end is 80.0.0.1.

Now, my interesting IP traffic for the VPN cryptomap is defined as 80.0.0.0/8 BUT here is where I am stuck. I do NOT want to classify the entire 80.x.x.x range as interesting traffic but instead would like some of the networks in the 80.x.x.x range to go out my typical WAN interface (ie. do not send this network over the VPN). Say that I want just 80.1.x.x to go out my WAN interface.

So, aside from adding 254 rules into my ASA to define interesting traffic as 80.1.x.x/16, 80.2.x.x/16 and so on, how the heck would this be possible or would it even be possible to do without adding each separate subnet?!

As I said, this is a unique problem for which I lack any answer and my google-fu has failed on this one. I was thinking if i added a static route, if this would override the crypto map but no idea if this would work. Any answers would be much appreciated!

 

[aaronearles]

I've never tried it, but I expect that a deny line that preempts the permit line in the matched access-list should work as an exclusion, for example:

access-list 100 deny ip any 80.1.0.0 0.0.255.255
access-list 100 permit ip any 80.0.0.0 0.0.0.255

 

[macrospect]

Arg, I am an idiot. I put my exclusions list into the interesting traffic cryptomap and then denied that traffic. Once I removed it (having the ACL setup exactly as you stated) it now works.

Thanks for making me realize this!