Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Hairpin config - access list issue

I have an "internet on a stick" configuration similar to the scheme described here

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

with a number of spoke vpns connected to a hub router, and a number of WAN sites connected by another router on the same LAN. NAT is not enabled on the remote spoke VPN routers, thus forcing all internet traffic for activities like web browsing through the hub router.

My issue is controlling access for outgoing traffic to the internet from the LANs on these spoke routers. I can control access from the local LAN and remote LANs with access-list 110 in the C1811HUB-V2 file (attached). Access list 110 is applied to the incoming traffic in the inside interface as is

interface FastEthernet0/1

description Internal HO LAN$ETH-LAN$

ip address 192.168.0.252 255.255.255.0

ip access-group 110 in

but traffic from LANs at the end of the spoke VPNs is not controlled by access-list 110 because this traffic is being hairpinned off loopback1 and is already internal to the router - i.e. it isn't entering the router from the local LAN.

Where do I need to apply the acess-list 110 to in order to control internet access?

TIA for your help

Phil

160
Views
0
Helpful
0
Replies