access-list 100 deny ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 100 permit ip 192.168.168.0 0.0.0.255 any
Your Crypto ACL should be,
access-list 101 permit ip 192.168.168.0 0.0.0.255 192.168.0.0 0.0.255.255
So this is how it works, when outbound packet hits the internal interface it will check the routing table and will pick the default gateway route via your Internet link.
We have NAT outside enabled on that interface... It will then check if the NAT ACL passes.. in your case only the traffic from local subnet to other places excluding the Main office range will be permitted for NAT.. so if your packet is destined to internet it will then get NAT/PAT'ed out.
If the packet is destined to the main office, it will NOT get NAT'ed and will proceed and will see the Crypto MAP configured on the outside interface... will check the Crypto ACL.. which is a pass.. this will then get encrypted and be sent through the IPSec tunnel.
It is important to make sure that you have the mirrored Crypto ACL configured on the Main office side.. otherwise you will run in to issues.
Hope this helps.. let me know if you need more information on this..
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.