The remote site 10.254.77 network internet traffic goes through a VPN concentrator to get to the internet. The 10.254.88 network is for phone. I am trying to send the 10.254.88 network directly to the internet and not go through the VPN concentrator at the corporate office.
Config file below (IP scheme changed from original)
Any thoughts?
Thanks
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FLDBS_VOIP_2851_01
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
logging buffered 4096 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login lauthen local
aaa authorization network lauthor local
!
aaa session-id common
memory-size iomem 15
clock timezone EST -5
clock summer-time EDT recurring
network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
!
!
ip cef
ip cef accounting per-prefix prefix-length
no ip dhcp use vrf connected
ip dhcp excluded-address 10.254.88.1 10.254.88.20
!
ip dhcp pool DB-Voice
network 10.34.8.0 255.255.255.0
default-router 10.34.8.1
option 150 ip 10.34.8.10
dns-server 10.254.77.14 10.254.77.13 10.150.1.72
!
!
no ip bootp server
no ip domain lookup
ip domain name fldbs.net
ip name-server 10.254.77.14
ip name-server 10.254.77.13
ip name-server 10.150.1.72
!
isdn switch-type primary-dms100
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1708964782
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1708964782
revocation-check none
rsakeypair TP-self-signed-1708964782
!
!
crypto pki certificate chain TP-self-signed-1708964782
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx
69408467 A284D4A9 7FFFD2EF 01F3F19D D6882A56 31DF1A94
quit
username XXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
controller T1 0/0/0
framing esf
linecode b8zs
pri-group timeslots 1-24 service mgcp
description *** AT&T Centrex PRI, Circuit ID XXXXXXXXXXXX, 888-245-0077 ***
!
controller T1 0/0/1
framing esf
linecode b8zs
pri-group timeslots 1-24 service mgcp
description *** AT&T Centrex PRI, Circuit ID XXXXXXXXXXXX, 888-245-0077 ***
!
ip telnet source-interface GigabitEthernet0/0
ip ssh time-out 60
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxx address 150.172.88.249 no-xauth
!
crypto isakmp client configuration group RemoteAccess
key xxxxxx
pool VPNPool
acl VPN-Split-Tunnel
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set to_vpn
!
!
crypto map to_vpn client authentication list lauthen
crypto map to_vpn isakmp authorization list lauthor
crypto map to_vpn client configuration address respond
crypto map to_vpn 10 ipsec-isakmp
set peer 150.172.88.249
set transform-set to_vpn
match address 101
crypto map to_vpn 20 ipsec-isakmp dynamic dynmap
!
!
!
!
interface GigabitEthernet0/0
description OUTSIDE INTERFACE (Untrusted)
ip address 74.192.69.18 255.255.255.224
no ip mroute-cache
duplex full
speed 100
no keepalive
no cdp enable
crypto map to_vpn
!
interface GigabitEthernet0/1
description INSIDE INTERFACE (Trusted)
ip address 10.254.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.8
description VOICE VLAN
encapsulation dot1Q 8
ip address 10.254.88.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-dms100
isdn incoming-voice voice
isdn supp-service name calling
isdn bind-l3 ccm-manager
no cdp enable
!
interface Serial0/0/1:23
no ip address
encapsulation hdlc
isdn switch-type primary-dms100
isdn incoming-voice voice
isdn supp-service name calling
isdn bind-l3 ccm-manager
no cdp enable
!
ip local pool VPNPool 172.16.255.1 172.16.255.10
ip default-gateway 74.191.68.17
ip route 0.0.0.0 0.0.0.0 74.191.68.17
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended VPN-Split-Tunnel
permit ip 10.254.0.0 0.0.255.255 172.16.255.0 0.0.0.255
!
logging trap errors
logging 10.105.1.187
access-list 1 permit 150.176.8.249
access-list 101 permit ip 10.254.77.0 0.0.0.255 any
access-list 101 permit ip 10.254.88.0 0.0.0.255 any
access-list 110 deny ip 10.254.88.0 0.0.0.255 any
access-list 110 deny ip 10.254.77.0 0.0.0.255 any
snmp-server community k3yst0n3 RW
!
route-map nonat permit 10
match ip address 110
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0:23
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/0/1:23
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
voice-port 2/0/0
!
voice-port 2/0/1
!
voice-port 2/0/2
!
voice-port 2/0/3
!
voice-port 2/0/4
!
voice-port 2/0/5
!
voice-port 2/0/6
!
voice-port 2/0/7
!
ccm-manager fallback-mgcp
ccm-manager redundant-host 10.34.8.10
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.34.8.11
ccm-manager config
!
mgcp
mgcp call-agent 10.254.88.11 2427 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode out-of-band
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp package-capability fxr-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
mgcp bind control source-interface GigabitEthernet0/1.8
mgcp bind media source-interface GigabitEthernet0/1.8
!
mgcp profile default
!
sccp local GigabitEthernet0/1.8
sccp ccm 10.254.88.10 identifier 2
sccp ccm 10.254.88.11 identifier 1
!
!
dial-peer voice 2 pots
service mgcpapp
port 0/0/1:23
!
dial-peer voice 1 pots
service mgcpapp
port 0/0/0:23
!
!
!
!
call-manager-fallback
secondary-dialtone 9
max-conferences 16 gain -6
transfer-system full-consult
timeouts interdigit 3
ip source-address 10.254.88.1 port 2000
max-ephones 96
max-dn 288 dual-line
system message primary Limited Functionality Mode
keepalive 10
time-zone 13
!
banner motd ^C
Access to this device is limited to authorized persons only. All efforts
to achieve access, whether direct or indirect, are subject to monitoring
activities. Unauthorized access is prohibited and will be subject to
incident reporting procedures including notification of local, state and
federal authorities.
^C
!
line con 0
logging synchronous
line aux 0
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
session-timeout 120
privilege level 15
password 7 xxxxxxxxxxxxxxxx
logging synchronous
transport preferred telnet
transport input telnet ssh
line vty 5 15
privilege level 15
logging synchronous
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179800
ntp master 5
ntp server 128.9.176.30
ntp server 209.81.9.7
!
end
Config file below (IP scheme changed from original)
Any thoughts?
Thanks
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FLDBS_VOIP_2851_01
!
boot-start-marker
boot-end-marker
!
card type t1 0 0
logging buffered 4096 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login lauthen local
aaa authorization network lauthor local
!
aaa session-id common
memory-size iomem 15
clock timezone EST -5
clock summer-time EDT recurring
network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
!
!
ip cef
ip cef accounting per-prefix prefix-length
no ip dhcp use vrf connected
ip dhcp excluded-address 10.254.88.1 10.254.88.20
!
ip dhcp pool DB-Voice
network 10.34.8.0 255.255.255.0
default-router 10.34.8.1
option 150 ip 10.34.8.10
dns-server 10.254.77.14 10.254.77.13 10.150.1.72
!
!
no ip bootp server
no ip domain lookup
ip domain name fldbs.net
ip name-server 10.254.77.14
ip name-server 10.254.77.13
ip name-server 10.150.1.72
!
isdn switch-type primary-dms100
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1708964782
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1708964782
revocation-check none
rsakeypair TP-self-signed-1708964782
!
!
crypto pki certificate chain TP-self-signed-1708964782
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx
69408467 A284D4A9 7FFFD2EF 01F3F19D D6882A56 31DF1A94
quit
username XXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
controller T1 0/0/0
framing esf
linecode b8zs
pri-group timeslots 1-24 service mgcp
description *** AT&T Centrex PRI, Circuit ID XXXXXXXXXXXX, 888-245-0077 ***
!
controller T1 0/0/1
framing esf
linecode b8zs
pri-group timeslots 1-24 service mgcp
description *** AT&T Centrex PRI, Circuit ID XXXXXXXXXXXX, 888-245-0077 ***
!
ip telnet source-interface GigabitEthernet0/0
ip ssh time-out 60
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxx address 150.172.88.249 no-xauth
!
crypto isakmp client configuration group RemoteAccess
key xxxxxx
pool VPNPool
acl VPN-Split-Tunnel
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set to_vpn
!
!
crypto map to_vpn client authentication list lauthen
crypto map to_vpn isakmp authorization list lauthor
crypto map to_vpn client configuration address respond
crypto map to_vpn 10 ipsec-isakmp
set peer 150.172.88.249
set transform-set to_vpn
match address 101
crypto map to_vpn 20 ipsec-isakmp dynamic dynmap
!
!
!
!
interface GigabitEthernet0/0
description OUTSIDE INTERFACE (Untrusted)
ip address 74.192.69.18 255.255.255.224
no ip mroute-cache
duplex full
speed 100
no keepalive
no cdp enable
crypto map to_vpn
!
interface GigabitEthernet0/1
description INSIDE INTERFACE (Trusted)
ip address 10.254.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.8
description VOICE VLAN
encapsulation dot1Q 8
ip address 10.254.88.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-dms100
isdn incoming-voice voice
isdn supp-service name calling
isdn bind-l3 ccm-manager
no cdp enable
!
interface Serial0/0/1:23
no ip address
encapsulation hdlc
isdn switch-type primary-dms100
isdn incoming-voice voice
isdn supp-service name calling
isdn bind-l3 ccm-manager
no cdp enable
!
ip local pool VPNPool 172.16.255.1 172.16.255.10
ip default-gateway 74.191.68.17
ip route 0.0.0.0 0.0.0.0 74.191.68.17
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended VPN-Split-Tunnel
permit ip 10.254.0.0 0.0.255.255 172.16.255.0 0.0.0.255
!
logging trap errors
logging 10.105.1.187
access-list 1 permit 150.176.8.249
access-list 101 permit ip 10.254.77.0 0.0.0.255 any
access-list 101 permit ip 10.254.88.0 0.0.0.255 any
access-list 110 deny ip 10.254.88.0 0.0.0.255 any
access-list 110 deny ip 10.254.77.0 0.0.0.255 any
snmp-server community k3yst0n3 RW
!
route-map nonat permit 10
match ip address 110
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0:23
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/0/1:23
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
voice-port 2/0/0
!
voice-port 2/0/1
!
voice-port 2/0/2
!
voice-port 2/0/3
!
voice-port 2/0/4
!
voice-port 2/0/5
!
voice-port 2/0/6
!
voice-port 2/0/7
!
ccm-manager fallback-mgcp
ccm-manager redundant-host 10.34.8.10
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.34.8.11
ccm-manager config
!
mgcp
mgcp call-agent 10.254.88.11 2427 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode out-of-band
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp package-capability fxr-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
mgcp bind control source-interface GigabitEthernet0/1.8
mgcp bind media source-interface GigabitEthernet0/1.8
!
mgcp profile default
!
sccp local GigabitEthernet0/1.8
sccp ccm 10.254.88.10 identifier 2
sccp ccm 10.254.88.11 identifier 1
!
!
dial-peer voice 2 pots
service mgcpapp
port 0/0/1:23
!
dial-peer voice 1 pots
service mgcpapp
port 0/0/0:23
!
!
!
!
call-manager-fallback
secondary-dialtone 9
max-conferences 16 gain -6
transfer-system full-consult
timeouts interdigit 3
ip source-address 10.254.88.1 port 2000
max-ephones 96
max-dn 288 dual-line
system message primary Limited Functionality Mode
keepalive 10
time-zone 13
!
banner motd ^C
Access to this device is limited to authorized persons only. All efforts
to achieve access, whether direct or indirect, are subject to monitoring
activities. Unauthorized access is prohibited and will be subject to
incident reporting procedures including notification of local, state and
federal authorities.
^C
!
line con 0
logging synchronous
line aux 0
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
session-timeout 120
privilege level 15
password 7 xxxxxxxxxxxxxxxx
logging synchronous
transport preferred telnet
transport input telnet ssh
line vty 5 15
privilege level 15
logging synchronous
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179800
ntp master 5
ntp server 128.9.176.30
ntp server 209.81.9.7
!
end