just a quick comment or two. you are writing as if you need to do something on your routers other than change the gateway of last resort.
ip route 0.0.0.0 0.0.0.0 goes where? without getting into the intricacies, if you are introducing a new firewall into the "europe" domain, your router should have a default route pointing to the inside address of the firewall. no other configuration is required. the firewall does all the filtering. no access lists. etc. at least not as related to firewall stuff. your router would redistribute the default route information, or not, as needed. your hosts would use the particular router as their default gateway. if you are using your router as the firewall, then I have to ask - what happens if that device is compromised - do you really want some hacker to then be in the middle of your network? -- www.chuckslongroad.info like my web site? take the survey! ""CTM CTM"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello all, > > Continuing my quest to unravel that which was left behind, I am now at the > following conclusion: > > Europe is on subnet 172.29.30.0 > U.S. is on subnet 192.168.100.0 > > Europe office has a 512k portal to the internet, public IP gateway being > 1.2.3.4 (made up of course, is in 217.x.x.x range) > U.S. public IP is 6.7.8.9 > However, it has been configured for all Europe internet traffic to be routed > through U.S. office (for purposes of going through a firewall, which wasn't > in place anyways). This has left Europe office with effective internet > speeds of > Now I want them to use their own internet portal and I believe I need to > reconfigure access lists to allow it. > > Here are my lists: > > ip nat inside source list 101 interface Ethernet0 overload > ip kerberos source-interface any > ip classless > ip route profile > ip route 0.0.0.0 0.0.0.0 1.2.3.4 > ip route 172.29.40.0 255.255.255.0 192.168.100.15 > ip http server > ! > access-list 100 permit ip 172.29.30.0 0.0.0.255 6.7.8.9 0.0.0.31 > access-list 100 permit ip 172.29.30.0 0.0.0.255 192.168.100.0 0.0.0.255 > access-list 101 deny ip 172.29.30.0 0.0.0.255 6.7.8.9 0.0.0.31 > access-list 101 deny ip 172.29.30.0 0.0.0.255 192.168.100.0 0.0.0.255 > access-list 101 permit ip 172.29.30.0 0.0.0.255 any > > interface Ethernet0 > description connected to Internet > ip address 1.2.3.5 255.255.255.248 gateway > ip nat outside > no ip route-cache > no ip mroute-cache > half-duplex > crypto map cm-cryptomap > > And here's what I *think* I need to do: > > no ip route 0.0.0.0 0.0.0.0 1.2.3.4 > ip route 172.29.30.0 255.255.255.0 1.2.3.4 > access-list 100 permit ip 172.29.30.0 0.0.0.255 1.2.3.4 > > For the last line I would actually need to clear all access lists ( no > access-list 100..... is the command?) and then reenter to preserve the > order? > > Does it sound like I'm close to what I need to do? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54907&t=54901 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
