Hi, On Fri, Aug 29, 2008 at 01:01:41PM +0200, Marc Haber wrote: > On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote: > > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > > > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > > > permit ip any 10.2.60.0 0.0.0.255 > > > > > > But packets to 192.168.8.1 still go out through the tunnel. > > > > Well, yeah. Because it matches the access list. From the sounds of it, you > > need to list each local network specifically in the access list so it won't > > match. <obvious>That will be tricky.</obvious> > > The following perl script will generate the appropriate access list: > #!/usr/bin/perl -w
<snip> I need to re-hash the issue, I am afraid. As a reminder: I want to use the Cisco VPN Client to connect to an 1841 router (running IOS 12.4(9)T4), while routing everything into the tunnel with the exception of a few nets. My configuration: crypto isakmp client configuration group InternClient key <snip> dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 pool ippool acl DefaultRouteWithoutListedNetsTunnelWorkaround ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround remark - this should be deny ip 10.20.30.0 0.0.0.31 any remark - this should be deny ip 10.1.10.0 0.0.0.255 any remark - this should be deny ip 192.168.8.0 0.0.0.255 any permit ip 0.0.0.0 7.255.255.255 any permit ip 8.0.0.0 1.255.255.255 any permit ip 10.0.0.0 0.0.255.255 any permit ip 10.1.0.0 0.0.7.255 any permit ip 10.1.8.0 0.0.1.255 any permit ip 10.1.11.0 0.0.0.255 any permit ip 10.1.12.0 0.0.3.255 any <snip> Unfortunately, the ACL cannot contain any "deny" statements (evaluation seems to stop after the first deny", so I wrote a script to generate an access list that permits everything but the few nets. However, it looks like only the first 50 entries of the ACL are actually transmitted to the client and show up in its routing table, so everything "permitted" in the "late" steps of the ACL ends up outside of the tunnel. Is there any possibility to increase that 50 limit? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/