Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

different port direction

I've got several 816's connecting to a 2611 in a VPN structure. I'd like all http, pop and smtp traffic to exit locally through each 816... any chance of doing that?

3 REPLIES
Gold

Re: different port direction

it's feasible by modifying the acl for interesting traffic, in other words, it tells the router what sort of traffic should be encrypted and sent via the vpn tunnel.

e.g. with the current config, it may have:

access-list 100 permit ip any

it can be modified like:

access-list 100 permit ip

alternatively, providing the vpn type is remote access, then split tunneling needs to be configured on the vpn server/hub.

e.g.

aaa new-model

aaa authentication login vpnauthen local

aaa authorization network vpnauthor local

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group vpngroup

key xxxxxxxx

pool vpnpool

acl 130

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set vpnset

crypto map vpnmap client authentication list vpnauthen

crypto map vpnmap isakmp authorization list vpnauthor

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Dialer0

ip address

ip nat outside

crypto map vpnmap

ip local pool vpnpool 10.1.1.1 10.1.1.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

route-map nonat permit 10

match ip address 101

in particular, the command "acl 130" under "crypto isakmp client configuration group vpngroup" and the actual acl 130 are required for split tunneling.

New Member

Re: different port direction

Thanks for your help...

I'm going to have to dig-in a bit on that... Digest the stuff and read more about it... lol...

thanks for the lead...

Gold

Re: different port direction

welcome. feel free to discuss any further question.

91
Views
0
Helpful
3
Replies