• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 341
  • Last Modified:

Router config

Hello EE. I am trying to modify an existing configuration to bypass the VPN tunnel for traffic to to one of my interfacses that has an assigned public IP but it is not working.  I am trying to figure out if the problem is my config. I attached the config and added these statements:

Interface FastEthernet0/1
ip address XXX.9.12.XXX (First usable public lan ip)
duplex auto
speed auto

ip route XXX.9.12.XXX xxx.9.10.xxx

access-list 40 permit xxx.9.12.0 (allow all traffic for testing)

route-map nonat permit 20
 match ip address 40
 set ip next-hop xxx.9.10.xxx                        

For testing I want to allow all port traffic to and from my Fa0/1. The second public IP is assigned to another device that is connected to my Fa0/1 interface and is using my Fa0/1 IP address as its GTW. Will this work? I cannot ping the device. Are pings blocked?
  • 3
2 Solutions
Hi Dfig,

     Based on the config file, and What you are trying to do, I think this can help you out.


The instructions are for a catalyst, but should work if using IOS.  Best of Luck!
InSearchOfAuthor Commented:
Thanks for the info nmacfall. I was hoping for something more specific to my question and config. Will my statements work and if not how should I modify them. I not a cisco heavy. I just know how to move around. The config on this ruter was pre-existing.
Jan SpringerCommented:
In a typical VPN configuration, I would except to see an access list denying NAT between the internal IPs of both ends of the tunnel.  Yours is "access-list 10".

You need three things:

1) a deny of your test IP in access-list 10 before any permits
2) an access-list permitting your test IP for the route-map
3) a route-map statement on the gateway interface for the test IP

If your test IP comes in on the same interface as all other traffic, then you need to use a single route map with the order of permits being important:  1) test permit is first and 2) VPN permit is second

With a bunch of "X"s where there should be IPs for internal and external, it's difficult to be more explicit.
InSearchOfAuthor Commented:
Thanks for the info jesper. What IPs do you need to see. I am connecting another router to my Fa0/1 interface for a specific use which was not in use before. I want to make sure that it does not use the VPN tunnel just go right out to tne internet. I want to allow inbound and outbound traffic from the router attached to Fa0/1. They both have public ips assigned.
InSearchOfAuthor Commented:
Ok got it to work. It required a policy based routing map. Thanks for the help

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now