• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 243
  • Last Modified:

CISCO L2L VPN stopping all traffic going over VPN

Evening

I have a client who has multiple sites connecting back to a HQ site.  Currently all traffic is sent over the VPN's.  I want to stop this, and originally thought it was a routing issue however the default route is pointing to the current WAN IP for this device so I assume it is an ACL setting.

What ACL is needed to allow the internet traffic out locally and not over the VPN?

If the VPN went down would the local site revert sending traffic to the internet locally or just fail to get internet access?

Part of Config pasted below (IP's changed) - Dialer1 is the WAN interface:

!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 210.145.15.60 255.255.255.255 Dialer1
ip route 210.145.15.16 255.255.255.255 Dialer1
ip tacacs source-interface Ethernet0
no ip http server
no ip http secure-server
!
!
access-list 23 permit 210.145.15.16
access-list 23 permit 210.145.15.60
access-list 23 permit 10.44.0.0 0.0.255.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 permit 10.12.0.128 0.0.0.31
access-list 23 permit 172.16.0.0 0.0.255.255
access-list 23 permit 10.9.4.0 0.0.0.255
access-list 101 permit ip 192.168.40.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community
no cdp run
0
DLeaver
Asked:
DLeaver
  • 3
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
ip route 0.0.0.0 0.0.0.0  Ethernet0
0
 
DLeaverAuthor Commented:
Hi David

The default route is correct as the interface Dialer1 is the outside interface.

I believe the reason all of the traffic is going over the VPN is because of the ACL entry  - access-list 101 permit ip 192.168.40.0 0.0.0.255 any

The crypto map is set to match traffic on this ACL, so my logic is that if I change the ACL so it maps only to the subnets on the other side of the VPN, then remove the current entry listing "any" then it should direct internet traffic out locally

Thoughts?....
0
 
lrmooreCommented:
You are moving down the correct path, but beware that the vpn traffic match acl on both ends have to match or the vpn tunn will fail to come up.
You'll also need to verify dns entries. Do the pcs at this location belong to an active directory domain? You could break a lot of things if the vpn does not establish..
0
 
DLeaverAuthor Commented:
The VPN going down is ok as we are going to have to move away from it today anyway.  Local accounts on the devices so access is still ok

I noticed the config had no nat rule so added

ip nat inside source list 1 interface Dialer0

and the traffic started going out of the local LAN so thats working ok now

I basically have to adjust the VPN at two of the sites to point to each other and not the old central firewall, any experience with this?
0
 
DLeaverAuthor Commented:
Found solution for myself
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now