I just lost a major reply that I had composed due to a computer lockup. So shorter reply this time. The static route that your European router has is correct as it is. It takes all traffic for which it doesn't have an explicit route and passes it out to the Internet. I'm assuming that the ip address 1.2.3.4 is a valid address of an interface on your European ISPs router. So all traffic to the Internet from your European office goes to their local European ISP. Look at the syntax of a static route. Destination network, netmask to determine what bits identify the network, egress port. The first 0.0.0.0 means all networks. The second 0.0.0.0 means all hosts. 1.2.3.4 seems to be your European ISP. ip route 0.0.0.0 0.0.0.0 1.2.3.4 is a good default route. If you were to use 172.29.30.0 255.255.255.0 1.2.3.4 you would be telling your router to find its LAN network out on the Internet. The router knows better. It already has that network shown as directly connected. Do a "show ip route" to verify. Your statement that "However, it has been configured for all Europe internet traffic to be routed through U.S. office ..." doesn't agree with the configuration. Access-list 100 would have to send all traffic over the VPN. It doesn't.
To verify that, check the path that traffic to the Internet takes from your remote office. From the DOS Prompt of a European PC ping a web site such as Cisco. ping cisco.com. You should get a reply like 198.133.219.25. Again from the DOS Prompt do a tracert to that address. It should display the intermediate routers. I'll bet that traffic from Europe goes out that router to the local ISP. No time to repeat my lost sermon on named access-lists. Access-list 100 defines traffic that is allowed to traverse the VPN. Access-list 101 specifies that traffic bound for the VPN tunnel should not be NATed. All other traffic (to the ip nat outside interface (usually Internet)) should be NATed. For every permit statement in 100 there should be a corresponding deny in 101. 101 in addition then permits all other destinations. Here's a tutorial on access-lists http://www.nwc.com/907/907ws1.html Be extremely careful about changing access-lists in the European router. If you edit 100 you will take the VPN down. Not good if you are connected via that VPN. Telnet to the 217.x.x.x interface of the European router from your local router. Consider using the "reload in" command. I've mentioned it previously. Look it up in the Cisco documentation on www.cisco.com The Firewall feature set can be used on a router with NAT and with VPNs. Not trivial. It would be good to remove the "ip http server" line. Let us know your progress. May I suggest that you purchase a few books. You may only need a small bit of it; but "Routing TCP/IP Vol 1" by Jeff Doyle is a classic. "Cisco Access Lists Field Guide" by Held and Hundley is quite good. It's also all on CCO - you just have to find it. Start under Service and Support and go to the TAC page. Look under each major area. Drill down just to see what's there. > -----Original Message----- > From: CTM CTM [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 04, 2002 3:10 PM > To: [EMAIL PROTECTED] > Subject: Re: Access List Change [7:54901] > > > Hi, > > The router was purchased along with the Cisco firewall > software license. I > figured to implement that? Otherwise I could put ISA on the > server out there. > > The security concerns are duly noted, and I won't leave the > office on public > until addressed. That being said; to get them to use their > own internet > portal direct I would do a: > > ip route 172.29.30.0 255.255.255.0 1.2.3.4 > > and do a: > > no ip route 0.0.0.0 0.0.0.0 > > is that correct? > > BTW, and don't laugh, I put in that last route chasing down a CPU > utilization issue. The router was typically at 34% > utilization. Doing some > research and I found that maybe packets to unclaimed > addressed were looping > between internal network and ISP, and that line would throw > them in the bit > bucket. So that was way out in left field wasn't it. I did solve the > utilization issue; there was an unused ADSL module, when I > had that pulled > it went down to normal. > > Chuck's Long Road wrote: > > > > just a quick comment or two. > > > > you are writing as if you need to do something on your routers > > other than > > change the gateway of last resort. > > > > ip route 0.0.0.0 0.0.0.0 goes where? > > > > without getting into the intricacies, if you are introducing a > > new firewall > > into the "europe" domain, your router should have a default > > route pointing > > to the inside address of the firewall. no other configuration > > is required. > > the firewall does all the filtering. no access lists. etc. at > > least not as > > related to firewall stuff. > > > > your router would redistribute the default route information, > > or not, as > > needed. > > > > your hosts would use the particular router as their default > > gateway. > > > > if you are using your router as the firewall, then I have to > > ask - what > > happens if that device is compromised - do you really want some > > hacker to > > then be in the middle of your network? > > > > -- > > > > www.chuckslongroad.info > > like my web site? > > take the survey! > > > > > > > > ""CTM CTM"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Hello all, > > > > > > Continuing my quest to unravel that which was left behind, I > > am now at the > > > following conclusion: > > > > > > Europe is on subnet 172.29.30.0 > > > U.S. is on subnet 192.168.100.0 > > > > > > Europe office has a 512k portal to the internet, public IP > > gateway being > > > 1.2.3.4 (made up of course, is in 217.x.x.x range) > > > U.S. public IP is 6.7.8.9 > > > However, it has been configured for all Europe internet > > traffic to be > > routed > > > through U.S. office (for purposes of going through a > > firewall, which > > wasn't > > > in place anyways). This has left Europe office with effective > > internet > > > speeds of > > > > Now I want them to use their own internet portal and I > > believe I need to > > > reconfigure access lists to allow it. > > > > > > Here are my lists: > > > > > > ip nat inside source list 101 interface Ethernet0 overload > > > ip kerberos source-interface any > > > ip classless > > > ip route profile > > > ip route 0.0.0.0 0.0.0.0 1.2.3.4 > > > ip route 172.29.40.0 255.255.255.0 192.168.100.15 > > > ip http server > > > ! > > > access-list 100 permit ip 172.29.30.0 0.0.0.255 6.7.8.9 > > 0.0.0.31 > > > access-list 100 permit ip 172.29.30.0 0.0.0.255 192.168.100.0 > > 0.0.0.255 > > > access-list 101 deny ip 172.29.30.0 0.0.0.255 6.7.8.9 > > 0.0.0.31 > > > access-list 101 deny ip 172.29.30.0 0.0.0.255 192.168.100.0 > > 0.0.0.255 > > > access-list 101 permit ip 172.29.30.0 0.0.0.255 any > > > > > > interface Ethernet0 > > > description connected to Internet > > > ip address 1.2.3.5 255.255.255.248 above public > > > gateway > > > ip nat outside > > > no ip route-cache > > > no ip mroute-cache > > > half-duplex > > > crypto map cm-cryptomap > > > > > > And here's what I *think* I need to do: > > > > > > no ip route 0.0.0.0 0.0.0.0 1.2.3.4 > > > ip route 172.29.30.0 255.255.255.0 1.2.3.4 > > > access-list 100 permit ip 172.29.30.0 0.0.0.255 1.2.3.4 > > > > > > For the last line I would actually need to clear all access > > lists ( no > > > access-list 100..... is the command?) and then reenter to > > preserve the > > > order? > > > > > > Does it sound like I'm close to what I need to do? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54924&t=54901 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
