[c-nsp] VPN Client to 1841, default route into tunnel with exceptions
Marc Haber
mh+cisco-nsp at zugschlus.de
Fri Aug 29 07:01:41 EDT 2008
On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote:
> > ip access-list extended DefaultrouteWithoutListedNetsTunnel
> > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
> > permit ip any 10.2.60.0 0.0.0.255
> >
> > But packets to 192.168.8.1 still go out through the tunnel.
>
> Well, yeah. Because it matches the access list. From the sounds of it, you
> need to list each local network specifically in the access list so it won't
> match. <obvious>That will be tricky.</obvious>
The following perl script will generate the appropriate access list:
#!/usr/bin/perl -w
use strict;
use Net::Netmask;
my $all = new Net::Netmask("0.0.0.0/0");
my @blocks = ("10.20.30.0/27","10.1.10.0/24","192.168.8.0/24");
my @blocklist=();
foreach my $block ( @blocks ) {
my $new = new Net::Netmask($block);
push(@blocklist,$new);
}
print "no ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround\n";
print "ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround\n";
foreach my $block ( @blocklist ) {
print "remark - this should be deny ip ". $block->base. " ". $block->hostmask. " any\n";
}
foreach my $block ( cidrs2inverse( $all, @blocklist ) ) {
print "permit ip ". $block->base. " ". $block->hostmask. " any\n";
}
and the access list seems to do the job. I didn't try in detail, but
it looks like the first deny statement in the access list makes
evaluation stop.
We'll see how this wrecks performance ;)
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the cisco-nsp
mailing list