837 Config Problem

Hi,

I might be totally wrong here or there may be another way of doing this but the first thing that comes to my mind is "route-maps".

Is it just www traffic that you want to go through the tunnel? What other network services does the remote network need ?

Do you want ALL outbound traffic to go through tunnel because this will determine the route-map settings?

Let us know!

Rob

Reply to
RobO
Loading thread data ...

Scenario.

I have a site that needs to get access to servers on the HO Lan. I

have the VPN up and working, the issue I now have is this.

I would like to basically block anything going to the internet from

the remote site. So Internet traffic has to go across the VPN to the

HO Proxy.

So far I've been unsuccessful in doing this.

> Current configuration : 2713 bytes > ! > version 12.2 > no service pad > service timestamps debug uptime > service timestamps log uptime > service password-encryption > ! > hostname Router > ! > logging queue-limit 100 > enable secret 5 $1$504R$nuaE.tPwutGTWmPRfIKK81 > ! > username all > username CRWS_Vijay privilege 15 password 7 ************ > ! > ip subnet-zero > ip dhcp excluded-address 10.50.4.1 10.50.4.10 > ! > ip dhcp pool DHCPPool > network 10.50.4.0 255.255.255.0 > default-router 10.50.4.1 > netbios-name-server 10.40.1.30 10.40.1.31 > dns-server 10.40.1.30 10.40.1.31 > ! > ! > ip inspect name Store tcp > ip inspect name Store udp > ip inspect name Store http > ip audit notify log > ip audit po max-events 100 > no ftp-server write-enable > ! > ! > ! > ! > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key 0 St0r3f0ursh4r3DK33 address > ! > ! > crypto ipsec transform-set KGTrans esp-3des esp-md5-hmac > ! > crypto map KG 10 ipsec-isakmp > set peer > set transform-set KGTrans > match address 105 > ! > ! > ! > ! > interface Loopback0 > ip address 255.255.255.255 > ! > interface Ethernet0 > ip address 10.50.4.1 255.255.255.0 > ip nat inside > ip inspect Store in > hold-queue 100 out > ! > interface ATM0 > bandwidth 288 > no ip address > no ip mroute-cache > no atm ilmi-keepalive > pvc 0/38 > encapsulation aal5mux ppp dialer > dialer pool-member 1 > ! > dsl operating-mode auto > hold-queue 224 in > ! > interface Dialer1 > ip unnumbered Loopback0 > ip access-group 101 in > ip nat outside > encapsulation ppp > no ip route-cache > no ip mroute-cache > dialer pool 1 > dialer-group 1 > ppp chap hostname > ppp chap password 7 > crypto map KG > ! > ip nat inside source list 199 interface Loopback0 overload > ip classless > ip route 0.0.0.0 0.0.0.0 Dialer1 > ip http server > no ip http secure-server > ! > access-list 101 deny ip 127.0.0.0 0.255.255.255 any > access-list 101 deny ip 224.0.0.0 31.255.255.255 any > access-list 101 permit icmp any any echo-reply > access-list 101 permit udp host 62.140.209.182 eq isakmp any eq

isakmp

access-list 101 permit esp host 62.140.209.182 any > access-list 101 deny tcp 10.50.4.0 0.0.0.255 eq www any eq www > access-list 101 permit ip 10.0.0.0 0.255.255.255 10.50.0.0
0.0.255.255

access-list 101 permit tcp host 194.200.174.18 any eq telnet

> access-list 101 permit ip host 194.200.174.28 any > access-list 105 permit ip 10.50.4.0 0.0.0.255 10.0.0.0
0.255.255.255

access-list 105 permit tcp 10.50.4.0 0.0.0.255 eq www any eq www

> access-list 199 deny ip 10.50.4.0 0.0.0.255 10.0.0.0
0.255.255.255

access-list 199 permit ip 10.50.4.0 0.0.0.255 any

> ! > line con 0 > exec-timeout 120 0 > no modem enable > stopbits 1 > line aux 0 > stopbits 1 > line vty 0 4 > exec-timeout 120 0 > password 7 ******* > login > length 0 > ! > scheduler max-task-time 5000 > ! > end >

I can't see what I've missed or not done.....

Ideas anyone??

Reply to
paulb4

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.