[c-nsp] VPN Client to 1841, default route into tunnel with exceptions

Michael K. Smith - Adhost mksmith at adhost.com
Thu Aug 28 14:30:29 EDT 2008


Hello Marc:

> >
> > ip access-list extended DefaultrouteTunnel
> >  permit x.x.x.x 0.0.0.255 10.100.100.0 0.0.0.255
> >  permit y.y.y.y 0.0.0.255 10.100.100.0 0.0.0.255
> 
> So that would be
> 
> ip access-list extended DefaultrouteWithoutListedNetsTunnel
>  deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
>  permit ip any 10.2.60.0 0.0.0.255
> 
> But packets to 192.168.8.1 still go out through the tunnel.
> 

According to your first configuration email the ACL you should use is DefaultRouteTunnel, not DefaultrouteWithoutListedNetsTunnel.

<original config>
crypto isakmp client configuration group InternClient
 key onsh4OcyivOafmyodzet
 dns 10.1.2.11 10.1.2.15
 wins 10.1.2.11 10.1.2.15
 domain example.com
 pool ippool
 acl DefaultrouteTunnel

ip access-list extended DefaultrouteTunnel  
permit ip any any 
ip access-list extended DefaultrouteWithoutListedNetsTunnel
 deny   ip 192.168.8.0 0.0.0.255 any
 permit ip any any
</original config>

If you change the client config to 'acl DefaultrouteWithoutListedNetsTunnel' using your original parameters you should be all set.

Regards,

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080828/fc3fd934/attachment-0001.bin>


More information about the cisco-nsp mailing list