[c-nsp] VPN Client to 1841, default route into tunnel with exceptions

Marc Haber mh+cisco-nsp at zugschlus.de
Fri Oct 17 15:46:23 EDT 2008


Hi,

On Fri, Aug 29, 2008 at 01:01:41PM +0200, Marc Haber wrote:
> On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote:
> > > ip access-list extended DefaultrouteWithoutListedNetsTunnel
> > >  deny   ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255
> > >  permit ip any 10.2.60.0 0.0.0.255
> > >
> > > But packets to 192.168.8.1 still go out through the tunnel.
> > 
> > Well, yeah. Because it matches the access list. From the sounds of it, you
> > need to list each local network specifically in the access list so it won't
> > match. <obvious>That will be tricky.</obvious>
> 
> The following perl script will generate the appropriate access list:
> #!/usr/bin/perl -w

<snip>

I need to re-hash the issue, I am afraid. As a reminder: I want to use
the Cisco VPN Client to connect to an 1841 router (running IOS
12.4(9)T4), while routing everything into the tunnel with the
exception of a few nets. My configuration:

crypto isakmp client configuration group InternClient
 key <snip>
 dns 10.1.2.11 10.1.2.15
 wins 10.1.2.11 10.1.2.15
 pool ippool
 acl DefaultRouteWithoutListedNetsTunnelWorkaround

ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround
 remark - this should be deny ip 10.20.30.0 0.0.0.31 any
 remark - this should be deny ip 10.1.10.0 0.0.0.255 any
 remark - this should be deny ip 192.168.8.0 0.0.0.255 any
 permit ip 0.0.0.0 7.255.255.255 any
 permit ip 8.0.0.0 1.255.255.255 any
 permit ip 10.0.0.0 0.0.255.255 any
 permit ip 10.1.0.0 0.0.7.255 any
 permit ip 10.1.8.0 0.0.1.255 any
 permit ip 10.1.11.0 0.0.0.255 any
 permit ip 10.1.12.0 0.0.3.255 any
<snip>

Unfortunately, the ACL cannot contain any "deny" statements
(evaluation seems to stop after the first deny", so I wrote a script
to generate an access list that permits everything but the few nets.

However, it looks like only the first 50 entries of the ACL are
actually transmitted to the client and show up in its routing table,
so everything "permitted" in the "late" steps of the ACL ends up
outside of the tunnel.

Is there any possibility to increase that 50 limit?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190


More information about the cisco-nsp mailing list