Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20521
Views
0
Helpful
8
Replies

IP Routing Question

Go to solution
davidjfclawson
Level 1
Level 1

‎08-16-2010 01:51 PM - edited ‎03-04-2019 09:26 AM

Hi,

I'm currently setting up a second line on our Router and intend to send all traffic for networks other than our own private networks (say 10.10.0.0/16) on a remote site with a VPN in between.

So I was thinking first get rid of the current route:

no ip route 10.10.0.0 255.255.0.0 82.211.60.1

Then adding the new routes

ip route 10.10.0.0 255.255.0.0 82.211.60.1

ip route 0.0.0.0 0.0.0.0 82.211.60.2

But I have tried this and neither VPN traffic or the second line seem to work, now I think the routes are right(?) but I'm still very new to setting up routes.

If the routes are correct, why wouldn't the VPN connect reconnect? Plus is there a way I could test the new line before configuring the routes?

Any other information your need let me know, any help would be appreciated.

Thanks,

David.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to davidjfclawson

‎08-17-2010 03:24 AM

Hello David,

change or mask public ip addresses and remove lines of usernames with passwords

you should be able to access the public link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Hope to help

Giuseppe

View solution in original post

0 Helpful

Go to solution
Manish Naik
Level 1
Level 1
In response to davidjfclawson

‎08-17-2010 10:00 AM

David,

    You should be able to access the link that Giuseppe posted

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

this should help understand Basic Natting and routing requirements for your setup.

Manish.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-16-2010 02:02 PM

Hello David,

you should post your configuration in order to understand what type of VPN you would like to use ( IPSec VPN protected point to point tunnel or other type?)

my first impression is that it is strange to see a private IP subnet 10.10.0.0/16 with a public IP address as IP next-hop.

let me provide an example:

if you use a GRE tunnel you specify a static route like

ip route 10.10.0.0 255.255.0.0 tunnel5

interface tunnel5

tunnel source x.x.x.x

tunnel destination y.y.y.y

ip address 10.20.0.1 255.255.255.252

no shut

!

x.x.x.x is a local IP address of the WAN interface (public) and y.y.y.y is defined on the router in the remote site and it is typically public if the VPN is over the public internet

you still refer to the tunnel 5 even if GRE packets are encrypted by IPSec using a crypto map

the ACL used by ipsec becomes

access-list 113 permit gre host x.x.x.x host y.y.y.y

A static route may be needed for setting up the tunnel

ip route y.y.y.y 255.255.255.255 x.x.x.k

and on remote site you can have a default static route in order to use main site for internet access (if desired)

ip route 0.0.0.0 0.0.0.0 tunnel 5

interface tunnel 5

tunnel source y.y.y.y

tunnel destination x.x.x.x

ip address 10.20.0.2 255.255.255.252

where x.x.x.k is the ip next-hop in same ip subnet of x.x.x.x

Hope to help

Giuseppe

0 Helpful

Go to solution
davidjfclawson
Level 1
Level 1
In response to Giuseppe Larosa

‎08-17-2010 01:47 AM

Hi Giuseppe,

Thanks for the information, I see what you mean about the routes with a private IP. I'm happy to provide my running config but what parts should I take out for security to be on the safe side?

Thanks,

David.

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to davidjfclawson

‎08-17-2010 03:24 AM

Hello David,

change or mask public ip addresses and remove lines of usernames with passwords

you should be able to access the public link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Hope to help

Giuseppe

0 Helpful

Go to solution
Manish Naik
Level 1
Level 1

‎08-16-2010 03:25 PM

Hello David,

        you can check if this link helps you.

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Manish.

0 Helpful

Go to solution
davidjfclawson
Level 1
Level 1
In response to Manish Naik

‎08-17-2010 01:49 AM

Hi Manish,

Unfortunately I don't have access, as I only have a very basic account. Is there any sites that I would be able to use their resources to help improve my understanding?

Thanks,


David.

0 Helpful

Go to solution
Manish Naik
Level 1
Level 1
In response to davidjfclawson

‎08-17-2010 10:00 AM

David,

    You should be able to access the link that Giuseppe posted

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

this should help understand Basic Natting and routing requirements for your setup.

Manish.

0 Helpful

Go to solution
davidjfclawson
Level 1
Level 1
In response to Manish Naik

‎08-18-2010 06:59 AM

Hey Guys,

Thanks for the links, I'm going to read then now as I have been troubleshooting another issue this morning and I think I might be wanting to setup routing groups to achieve the goal of sending traffic down one of two connections depending on it's destination.

Below is an edited copy of our config; please let me know if I need to make more edits to ensure it is safe to post online.

Thanks,

David.

!

! Last configuration change at 14:12:13 London Mon Aug 16 2010 by root

! NVRAM config last updated at 17:29:40 London Mon Aug 16 2010 by root

!

version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname FW

!

boot-start-marker

boot-end-marker

!

logging buffered 8192 informational

enable password

!

aaa new-model

!

!

aaa authentication login userlist local

aaa authentication ppp default local

aaa authorization network groupauthor local

!

aaa session-id common

!

resource policy

!

memory-size iomem 20

clock timezone London 0

clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

no ip source-route

ip icmp rate-limit unreachable 100

ip icmp rate-limit unreachable DF 1

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.50.254

ip dhcp excluded-address 192.168.50.10 192.168.50.11

!

ip dhcp pool Wireless

   import all

   network 192.168.50.0 255.255.255.0

   dns-server 192.168.10.1 192.168.10.2

   default-router 192.168.50.254

   lease 3

!

!

no ip bootp server

ip domain name tolhurst.com

ip name-server 192.168.10.1

ip name-server 192.168.10.2

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect name outbound esmtp

ip inspect name outbound tcp

ip inspect name outbound udp

!

!

crypto pki trustpoint TP-self-signed-337632103

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-337632103

revocation-check none

rsakeypair TP-self-signed-337632103

!

!

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

lifetime 28800

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key mushroom address 140.82.120.21

crypto isakmp keepalive 20 10

crypto isakmp xauth timeout 20

!

crypto isakmp client configuration group VPNCLIENTGROUP

key timerightnow

dns 192.168.10.1 192.168.10.2

domain tolhurst.com

pool vpn1

acl tolhurstvpn_splitTunnelAcl

crypto isakmp profile VPNclient

   description VPN clients profile

   match identity group VPNCLIENTGROUP

   client authentication list userlist

   isakmp authorization list groupauthor

   client configuration address respond

!

!

crypto ipsec transform-set 3des esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set HiRemote esp-aes esp-sha-hmac

!

crypto dynamic-map dynmap 20

set transform-set 3des

set isakmp-profile VPNclient

reverse-route

!

!

crypto map map1 10 ipsec-isakmp

set peer 140.82.120.21

set transform-set HiRemote

match address 100

crypto map map1 20 ipsec-isakmp dynamic dynmap

!

bridge irb

!

!

!

interface FastEthernet0/0

description $ETH-WAN$

bandwidth 2048

ip address 81.134.145.210 255.255.255.240

ip access-group outside_acl in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect outbound in

ip inspect outbound out

ip virtual-reassembly

no ip route-cache cef

ip route-cache flow

ip tcp adjust-mss 1452

no ip mroute-cache

duplex auto

speed auto

no cdp enable

arp timeout 1800

no mop enabled

crypto map map1

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.10.254 255.255.255.0

ip access-group inside_acl in

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip inspect outbound in

ip inspect outbound out

ip virtual-reassembly

ip tcp adjust-mss 1452

speed 100

full-duplex

!

interface ATM0/0/0

  no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

no snmp trap link-status

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dot11Radio0/1/0

description Wireless interface

no ip address

no ip redirects

ip local-proxy-arp

ip virtual-reassembly

!

broadcast-key vlan 1 change 45

!

broadcast-key vlan 2 change 45

!

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 2 mode ciphers tkip

!

encryption mode ciphers tkip

!

ssid tolhurst01

    vlan 1

    authentication open

    authentication key-management wpa

    guest-mode

    wpa-psk ascii 7

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2452

station-role root

no cdp enable

!

interface Dot11Radio0/1/0.1

description tolhurst UnSecure

encapsulation dot1Q 1 native

ip virtual-reassembly

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dialer0

bandwidth 8192

ip address 72.201.145.44 255.255.240.0

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname

ppp chap password 7

ppp pap sent-username

!

interface BVI1

description Wireless LAN

ip address 192.168.50.254 255.255.255.0

ip access-group inside_acl in

ip nat inside

ip virtual-reassembly

!

interface BVI2

mtu 1514

ip address 192.168.51.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool vpn1 192.168.11.1 192.168.11.20

ip route 0.0.0.0 0.0.0.0 81.134.145.209

ip route 140.82.111.30 255.255.255.255 81.134.145.209

!

ip flow-top-talkers

top 20

sort-by bytes

!

ip http server

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool pool1 81.134.145.211 81.134.145.211 netmask 255.255.255.240

ip nat inside source list 111 pool pool1 overload

ip nat inside source static tcp 192.168.10.204 25 81.134.145.212 25 route-map nonat extendable

ip nat inside source static tcp 192.168.10.160 80 81.134.145.212 80 route-map nonat extendable

ip nat inside source static tcp 192.168.10.204 443 81.134.145.212 443 route-map nonat extendable

ip nat inside source static tcp 192.168.10.204 587 81.134.145.212 587 route-map nonat extendable

ip nat inside source static tcp 192.168.10.204 993 81.134.145.212 993 route-map nonat extendable

ip nat inside source static tcp 192.168.10.204 995 81.134.145.212 995 route-map nonat extendable

ip nat inside source static tcp 192.168.10.110 80 81.134.145.213 80 route-map nonat extendable

ip nat inside source static tcp 192.168.10.166 80 81.134.145.214 80 route-map nonat extendable

ip nat inside source static tcp 192.168.10.190 8080 81.134.145.214 8080 route-map nonat extendable

ip nat inside source static tcp 192.168.10.210 80 81.134.145.215 80 route-map nonat extendable

ip nat inside source static tcp 192.168.10.210 443 81.134.145.215 443 route-map nonat extendable

ip nat inside source static tcp 192.168.10.135 80 81.134.145.216 80 route-map nonat extendable

!

ip access-list extended tolhurstvpn_splitTunnelAcl

permit ip 192.168.10.0 0.0.0.255 any

ip access-list extended general

permit ip any any

ip access-list extended inside_acl

permit udp host 192.168.10.1 host 172.16.1.78 eq domain

permit udp host 192.168.10.1 host 172.16.1.80 eq domain

permit udp host 192.168.10.2 host 172.16.1.78 eq domain

permit udp host 192.168.10.2 host 172.16.1.80 eq domain

permit tcp host 192.168.10.50 host 172.16.1.90 eq 8080

permit tcp host 192.168.10.50 host 172.16.1.90 eq 8081

permit tcp host 192.168.10.48 host 172.16.1.92 eq 8080

permit tcp host 192.168.10.48 host 172.16.1.92 eq 8081

permit tcp host 192.168.10.63 host 172.16.1.92 eq 8080

permit tcp host 192.168.10.54 host 172.16.1.10 eq 3389

permit tcp host 192.168.10.54 host 172.16.1.11 eq 3389

permit tcp host 192.168.10.54 host 172.16.1.13 eq 3389

permit tcp host 192.168.10.54 host 172.16.1.14 eq 3389

permit tcp host 192.168.10.54 host 172.16.1.15 eq 3389

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.20 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.22 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.24 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.26 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.28 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.30 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.32 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.34 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.36 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.100 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.2.118 eq 1433

permit ip host 192.168.10.50 172.16.0.0 0.0.255.255

permit ip host 192.168.10.51 172.16.0.0 0.0.255.255

permit ip host 192.168.10.57 172.16.0.0 0.0.255.255

permit ip host 192.168.10.66 172.16.0.0 0.0.255.255

permit ip host 192.168.10.61 172.16.0.0 0.0.255.255

permit ip host 192.168.10.67 172.16.0.0 0.0.255.255

permit ip host 192.168.10.83 172.16.0.0 0.0.255.255

permit ip host 192.168.10.84 172.16.0.0 0.0.255.255

permit ip host 192.168.10.55 172.16.0.0 0.0.255.255

permit ip host 192.168.10.160 172.16.0.0 0.0.255.255

permit ip host 192.168.10.163 172.16.0.0 0.0.255.255

permit ip host 192.168.10.203 172.16.0.0 0.0.255.255

permit tcp 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www

permit tcp 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.90 eq 7099

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.93 eq ftp

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.93 eq 22

deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

deny   ip 192.168.11.0 0.0.0.255 172.16.0.0 0.0.255.255

  deny   tcp any any eq 4662

  deny   tcp any 128.121.20.0 0.0.0.15 eq www

deny   tcp any 128.121.4.0 0.0.0.255 eq www

  permit ip any any

permit icmp 192.168.10.0 0.0.0.255 any echo

permit icmp 192.168.10.0 0.0.0.255 any echo-reply

ip access-list extended outside_acl

permit ahp host 140.82.111.30 host 81.134.145.210

permit ahp any host 81.134.145.210

permit esp host 140.82.111.30 host 81.134.145.210

permit esp any host 81.134.145.210

permit udp host 140.82.111.30 host 81.134.145.210 eq isakmp

permit udp any host 81.134.145.210 eq isakmp

permit udp host 140.82.111.30 host 81.134.145.210 eq non500-isakmp

permit udp any host 81.134.145.210 eq non500-isakmp

permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit udp host 140.82.111.30 any eq isakmp

permit udp host 140.82.111.30 eq isakmp any

permit esp host 140.82.111.30 any

permit udp any eq isakmp any

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit ahp any any

permit esp any any

permit tcp any host 81.134.145.212 eq 995

permit tcp any host 81.134.145.212 eq 587

permit tcp any host 81.134.145.212 eq www

permit tcp any host 81.134.145.212 eq 443

permit tcp any host 81.134.145.212 eq smtp

permit tcp any host 81.134.145.212 eq 993

permit tcp any host 81.134.145.213 eq www

permit tcp any host 81.134.145.214 eq www

permit tcp any host 81.134.145.215 eq www

permit tcp any host 81.134.145.215 eq 443

permit tcp any host 81.134.145.216 eq www

permit tcp any host 81.134.145.216 eq 443

permit tcp host 80.177.153.32 host 81.134.145.214 eq 8080

permit tcp host 140.82.111.30 host 81.134.145.214 eq 8080

permit icmp any any

deny   ip any any log

!

logging 192.168.10.203

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 101 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 101 permit ip any host 146.101.162.209

access-list 101 permit ip any host 146.101.250.35

access-list 101 permit ip any host 80.64.57.160

access-list 101 permit ip any host 80.64.57.161

access-list 101 permit ip any host 146.101.121.78

access-list 101 permit ip any host 146.101.121.79

access-list 101 deny   ip host 192.168.10.203 any

access-list 101 deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 101 deny   ip any 192.168.11.0 0.0.0.255

access-list 101 deny   ip 192.168.10.50 0.0.0.1 any

access-list 101 deny   ip 192.168.10.52 0.0.0.3 any

access-list 101 deny   ip 192.168.10.56 0.0.0.7 any

access-list 101 deny   ip 192.168.10.64 0.0.0.31 any

access-list 101 deny   ip 192.168.10.96 0.0.0.3 any

access-list 101 deny   ip host 192.168.10.100 any

access-list 101 deny   ip host 192.168.10.204 any

access-list 101 deny   ip host 192.168.10.205 any

access-list 101 deny   ip host 192.168.10.206 any

access-list 101 deny   ip host 192.168.10.207 any

access-list 101 deny   ip host 192.168.10.208 any

access-list 101 deny   ip host 192.168.10.209 any

access-list 101 deny   ip host 192.168.10.210 any

access-list 101 deny   ip host 192.168.10.220 any

access-list 101 deny   ip host 192.168.10.221 any

access-list 101 permit ip 192.168.50.0 0.0.0.255 any

access-list 101 permit ip 192.168.10.0 0.0.0.31 any

access-list 101 permit ip 192.168.10.32 0.0.0.15 any

access-list 101 permit ip 192.168.10.48 0.0.0.1 any

access-list 101 permit ip host 192.168.10.101 any

access-list 101 permit ip 192.168.10.102 0.0.0.1 any

access-list 101 permit ip 192.168.10.104 0.0.0.7 any

access-list 101 permit ip 192.168.10.112 0.0.0.15 any

access-list 101 permit ip 192.168.10.128 0.0.0.63 any

access-list 101 permit ip 192.168.10.192 0.0.0.31 any

access-list 101 permit ip 192.168.10.224 0.0.0.15 any

access-list 101 permit ip 192.168.10.240 0.0.0.7 any

access-list 101 permit ip 192.168.10.248 0.0.0.3 any

access-list 101 permit ip 192.168.10.252 0.0.0.1 any

access-list 102 permit ip any any

access-list 103 deny   ip any any dscp 1 log

access-list 103 permit ip any any

access-list 104 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 104 deny   ip host 192.168.10.203 172.16.0.0 0.0.255.255

access-list 104 deny   ip host 192.168.10.203 192.168.11.0 0.0.0.255

access-list 104 deny   ip any 192.168.11.0 0.0.0.255

access-list 104 permit ip host 192.168.10.203 any

access-list 104 permit ip host 192.168.10.204 any

access-list 104 permit ip host 192.168.10.205 any

access-list 104 permit ip host 192.168.10.206 any

access-list 104 permit ip host 192.168.10.207 any

access-list 104 permit ip host 192.168.10.208 any

access-list 104 permit ip host 192.168.10.209 any

access-list 104 permit ip host 192.168.10.210 any

access-list 104 permit ip host 192.168.10.220 any

access-list 104 permit ip host 192.168.10.221 any

access-list 105 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 105 deny   ip host 192.168.10.203 any

access-list 105 deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 105 deny   ip any 192.168.11.0 0.0.0.255

access-list 105 deny   ip 192.168.10.0 0.0.0.31 any

access-list 105 deny   ip 192.168.10.32 0.0.0.15 any

access-list 105 deny   ip 192.168.10.48 0.0.0.1 any

access-list 105 deny   ip host 192.168.10.101 any

access-list 105 deny   ip 192.168.10.102 0.0.0.1 any

access-list 105 deny   ip 192.168.10.104 0.0.0.7 any

access-list 105 deny   ip 192.168.10.112 0.0.0.15 any

access-list 105 deny   ip 192.168.10.128 0.0.0.63 any

access-list 105 deny   ip 192.168.10.192 0.0.0.31 any

access-list 105 deny   ip 192.168.10.224 0.0.0.15 any

access-list 105 deny   ip 192.168.10.240 0.0.0.7 any

access-list 105 deny   ip 192.168.10.248 0.0.0.3 any

access-list 105 deny   ip 192.168.10.252 0.0.0.1 any

access-list 105 deny   ip host 192.168.10.204 any

access-list 105 deny   ip host 192.168.10.205 any

access-list 105 deny   ip host 192.168.10.206 any

access-list 105 deny   ip host 192.168.10.207 any

access-list 105 deny   ip host 192.168.10.208 any

access-list 105 deny   ip host 192.168.10.209 any

access-list 105 deny   ip host 192.168.10.210 any

access-list 105 deny   ip host 192.168.10.220 any

access-list 105 deny   ip host 192.168.10.221 any

access-list 105 permit ip 192.168.10.50 0.0.0.1 any

access-list 105 permit ip 192.168.10.52 0.0.0.3 any

access-list 105 permit ip 192.168.10.56 0.0.0.7 any

access-list 105 permit ip 192.168.10.64 0.0.0.31 any

access-list 105 permit ip 192.168.10.96 0.0.0.3 any

access-list 105 permit ip host 192.168.10.100 any

access-list 105 permit ip 192.168.50.0 0.0.0.255 any

access-list 106 permit ip any any

access-list 107 permit ip any any

access-list 109 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0

access-list 109 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.255.0

access-list 109 permit ip any 0.0.0.0 255.255.255.0

access-list 109 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

access-list 111 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 111 deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 111 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 111 deny   ip any 192.168.11.0 0.0.0.255

access-list 111 permit ip 192.168.10.0 0.0.0.255 any

access-list 111 permit ip 192.168.50.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community

snmp-server host 192.168.10.203

arp 192.168.10.110 03bf.c0a8.0a6e ARPA

arp 192.168.10.111 03bf.c0a8.0a6e ARPA

!

!

!

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

!

line con 0

line aux 0

scheduler allocate 20000 1000

end

0 Helpful

Go to solution
davidjfclawson
Level 1
Level 1
In response to davidjfclawson

‎08-18-2010 09:40 AM

Small update,

I have tried to create a route-map to direct just my machine alone down the dialer0 interface but it doesn't appear to have worked, although I have Internet and no VPN if I do a trace route to www.bbc.co.uk it shows my packets still going via the FastEthernet0/0. So I don't understand what is happening now, as I have the Internet but no VPN but if I were going out on the FastEthernet0/0 interface I would expect to be allowed to access the VPN still. I haven't set this firewall up just inherited it, and have to learn quickly.

Thanks,

David.

access-list 110 permit ip host 192.168.10.55 any
route-map Dial permit
match ip address 110
set interface Dialer0
ip nat inside source route-map Dial interface Dialer0 overload

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card