Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Limiting Internet access with VPN setup

I have a remote office that is connected via site to site VPN from a 1720 router (remote office) to Pix (HQ). The remote office has its own T1. The users in the remote office go across the VPN for LAN/WAN resources and go straight out the T1 to the Internet. I have used the route-map command to specify which subnets are allowed over the VPN and which are directed towards the Internet. I bascially followed the sample doc at

Here are the relevant config lines:

HQ LAN subnet -

HQ LAN subnet -

Remote LAN subnet -

Remote WAN subnet -

Here is my setup on the router:

crypto map catcher

match address 120

ip nat pool remote prefix-length 24

ip nat inside source route-map nonat pool remote

access-list 120 permit ip

access-list 120 permit ip

access-list 130 deny ip

access-list 130 deny ip

access-list 130 permit ip any

route-map nonat permit 10

match ip address 130

I would like to limit all users that have a or higher IP address on the remote LAN subnet from accessing the Internet. I tried changing the last line of access-list 130 to but it did not work. Does anyone have an idea on how to make this to work?




Re: Limiting Internet access with VPN setup

To keep all addresses above .130 from getting into the nat path, you should use this set of entries:

permit (permits 0-223)

permit (permits 224-227)

permit (permits 228-229)

permit (permits 230)

You can do this on the deny side as well:

deny host



ip subnet'r will figure these out for you on a palm pilot.... I'm working on a new version currently, to be released when I finish my networkers presentations and I get around to it.... :-)


New Member

Re: Limiting Internet access with VPN setup

Are you saying that in my last line which was

access-list 130 permit ip - that I should break it down to the 4 entries above? I want the whole 255

subnet to be able to access resources on the VPN but only the first 230

to go out to the Internet which is what the last line in access-list 130


CreatePlease to create content