Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Maxium number of secured routes?

Hello

Does anyone know if there is a limited number of secured routes that you can give a vpn client?

Im testing my lab pix515E 6.3.3 with new vpn profiles/acl and encounterd this problem

I have created a object-group (network) for the secured routes that i want to give the user

object-group network new_vpn_ip_ranges

description internal_network_ip_ranges

network-object 192.168.2.0 255.255.255.0 network-object 192.168.14.0 255.255.255.0 network-object 192.168.15.0 255.255.255.0 network-object 192.168.16.0 255.255.255.0 network-object 192.168.17.0 255.255.255.0 network-object 192.168.19.0 255.255.255.0 network-object 192.168.20.0 255.255.255.0 network-object 192.168.21.0 255.255.255.0 network-object 192.168.25.0 255.255.255.0

Then I created a new object-group for the vpn ip pools that i wanted the internal network to be able to access

object-group network new_vpn_ip_pools

description internal_vpn_pools

network-object 192.168.34.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.35.0 255.255.255.0

network-object 192.168.36.0 255.255.255.0

network-object 192.168.37.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

network-object 192.168.41.0 255.255.255.0

network-object 192.168.42.0 255.255.255.0

network-object 192.168.43.0 255.255.255.0

network-object 192.168.64.0 255.255.255.0

network-object 192.168.65.0 255.255.255.0

network-object 192.168.69.0 255.255.255.0

Then I created the ACL for this to work

access-list testingnewvpn permit ip object-group new_vpn_ip_ranges object-group new_vpn_ip_pools

If I then check "secure routes" in the vpn client, it only gives me 192.168.2.0, 192.168.14.0, 192.168.15.0, 192.168.16.0,192.168.17.0 networks and skipping the rest. There are like 14 secure routes entries for each ACL rule.

Like

192.168.2.0 255.255.255.0

192.168.2.0 255.255.255.0

192.168.2.0 255.255.255.0

(and so on x 14 for each acl rule)

Am I doing this wrong?

If I just do this ACL, it becomes perfect

access-list testingnewvpn permit ip object-group new_vpn_ip_ranges 192.168.32.0 255.255.255.0

Thank you

1 REPLY
Silver

Re: Maxium number of secured routes?

Many network attacks rely on an attacker that falsifies, or spoofs, the source addresses of IP datagrams. Some attacks rely on spoofing to work at all, and other attacks are much harder to trace if the attacker can use the address of someone else instead of his or her own. Therefore, it is valuable for network administrators to prevent spoofing wherever feasible

107
Views
1
Helpful
1
Replies