asked on CISCO L2L VPN stopping all traffic going over VPN
Evening
I have a client who has multiple sites connecting back to a HQ site. Currently all traffic is sent over the VPN's. I want to stop this, and originally thought it was a routing issue however the default route is pointing to the current WAN IP for this device so I assume it is an ACL setting.
What ACL is needed to allow the internet traffic out locally and not over the VPN?
If the VPN went down would the local site revert sending traffic to the internet locally or just fail to get internet access?
Part of Config pasted below (IP's changed) - Dialer1 is the WAN interface:
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 210.145.15.60 255.255.255.255 Dialer1
ip route 210.145.15.16 255.255.255.255 Dialer1
ip tacacs source-interface Ethernet0
no ip http server
no ip http secure-server
!
!
access-list 23 permit 210.145.15.16
access-list 23 permit 210.145.15.60
access-list 23 permit 10.44.0.0 0.0.255.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 permit 10.12.0.128 0.0.0.31
access-list 23 permit 172.16.0.0 0.0.255.255
access-list 23 permit 10.9.4.0 0.0.0.255
access-list 101 permit ip 192.168.40.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community
no cdp run
I have a client who has multiple sites connecting back to a HQ site. Currently all traffic is sent over the VPN's. I want to stop this, and originally thought it was a routing issue however the default route is pointing to the current WAN IP for this device so I assume it is an ACL setting.
What ACL is needed to allow the internet traffic out locally and not over the VPN?
If the VPN went down would the local site revert sending traffic to the internet locally or just fail to get internet access?
Part of Config pasted below (IP's changed) - Dialer1 is the WAN interface:
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 210.145.15.60 255.255.255.255 Dialer1
ip route 210.145.15.16 255.255.255.255 Dialer1
ip tacacs source-interface Ethernet0
no ip http server
no ip http secure-server
!
!
access-list 23 permit 210.145.15.16
access-list 23 permit 210.145.15.60
access-list 23 permit 10.44.0.0 0.0.255.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 permit 10.12.0.128 0.0.0.31
access-list 23 permit 172.16.0.0 0.0.255.255
access-list 23 permit 10.9.4.0 0.0.0.255
access-list 101 permit ip 192.168.40.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community
no cdp run
CiscoVPN
Last Comment
DLeaver
ip route 0.0.0.0 0.0.0.0 Ethernet0
ASKER
Hi David
The default route is correct as the interface Dialer1 is the outside interface.
I believe the reason all of the traffic is going over the VPN is because of the ACL entry - access-list 101 permit ip 192.168.40.0 0.0.0.255 any
The crypto map is set to match traffic on this ACL, so my logic is that if I change the ACL so it maps only to the subnets on the other side of the VPN, then remove the current entry listing "any" then it should direct internet traffic out locally
Thoughts?....
The default route is correct as the interface Dialer1 is the outside interface.
I believe the reason all of the traffic is going over the VPN is because of the ACL entry - access-list 101 permit ip 192.168.40.0 0.0.0.255 any
The crypto map is set to match traffic on this ACL, so my logic is that if I change the ACL so it maps only to the subnets on the other side of the VPN, then remove the current entry listing "any" then it should direct internet traffic out locally
Thoughts?....
You are moving down the correct path, but beware that the vpn traffic match acl on both ends have to match or the vpn tunn will fail to come up.
You'll also need to verify dns entries. Do the pcs at this location belong to an active directory domain? You could break a lot of things if the vpn does not establish..
You'll also need to verify dns entries. Do the pcs at this location belong to an active directory domain? You could break a lot of things if the vpn does not establish..
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Found solution for myself