Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
218
Views
0
Helpful
3
Replies

different port direction

filipe-boleto
Level 1
Level 1

‎02-17-2006 10:35 AM - edited ‎03-09-2019 01:58 PM

I've got several 816's connecting to a 2611 in a VPN structure. I'd like all http, pop and smtp traffic to exit locally through each 816... any chance of doing that?

Labels:
0 Helpful
3 Replies 3

jackko
Level 7
Level 7

‎02-17-2006 05:57 PM

it's feasible by modifying the acl for interesting traffic, in other words, it tells the router what sort of traffic should be encrypted and sent via the vpn tunnel.

e.g. with the current config, it may have:

access-list 100 permit ip any

it can be modified like:

access-list 100 permit ip

alternatively, providing the vpn type is remote access, then split tunneling needs to be configured on the vpn server/hub.

e.g.

aaa new-model

aaa authentication login vpnauthen local

aaa authorization network vpnauthor local

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group vpngroup

key xxxxxxxx

pool vpnpool

acl 130

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set vpnset

crypto map vpnmap client authentication list vpnauthen

crypto map vpnmap isakmp authorization list vpnauthor

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Dialer0

ip address

ip nat outside

crypto map vpnmap

ip local pool vpnpool 10.1.1.1 10.1.1.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

route-map nonat permit 10

match ip address 101

in particular, the command "acl 130" under "crypto isakmp client configuration group vpngroup" and the actual acl 130 are required for split tunneling.

0 Helpful

filipe-boleto
Level 1
Level 1

‎02-18-2006 02:58 AM

Thanks for your help...

I'm going to have to dig-in a bit on that... Digest the stuff and read more about it... lol...

thanks for the lead...

0 Helpful

jackko
Level 7
Level 7
In response to filipe-boleto

‎02-18-2006 03:19 AM

welcome. feel free to discuss any further question.

0 Helpful
Customers Also Viewed These Support Documents