spidermanfan
MIS
OK I'm at my wits end. I can connect to the VPN fine, but when connected to the VPN,my internet traffic tries to go through the vpn client instead of my home DSL line.
Any thoughts? Here is my config (some IP's were changed to protect the innocent).
Building configuration...
Current configuration : 6460 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname grouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip inspect name mtfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 3600
ip inspect name myfw udp timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip dhcp excluded-address 192.168.192.2
ip dhcp excluded-address 192.168.192.50
ip dhcp excluded-address 192.168.192.237
!
!
ip ips po max-events 100
ip domain name wishuponastar.com
ip name-server “outside dns server”
ip name-server 192.168.192.2
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group food
key somekindapassword
dns 192.168.192.2 64.65.208.6
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.192.254 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group 122 out
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
hold-queue 32 in
!
interface FastEthernet0/1
ip address 66.1.1.1 255.255.255.248
ip access-group 111 in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.191.100 192.168.191.125
ip classless
ip route 0.0.0.0 0.0.0.0 66.1.1.2
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.192.50 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.192.50 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.192.50 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.192.2 25 interface FastEthernet0/1 25
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
!
access-list 102 remark SDM_ACL Category=16
access-list 102 deny ip any host 192.168.191.100
access-list 102 deny ip any host 192.168.191.101
access-list 102 deny ip any host 192.168.191.102
access-list 102 deny ip any host 192.168.191.103
access-list 102 deny ip any host 192.168.191.104
access-list 102 deny ip any host 192.168.191.105
access-list 102 deny ip any host 192.168.191.106
access-list 102 deny ip any host 192.168.191.107
access-list 102 deny ip any host 192.168.191.108
access-list 102 deny ip any host 192.168.191.109
access-list 102 deny ip any host 192.168.191.110
access-list 102 deny ip any host 192.168.191.111
access-list 102 deny ip any host 192.168.191.112
access-list 102 deny ip any host 192.168.191.113
access-list 102 deny ip any host 192.168.191.114
access-list 102 deny ip any host 192.168.191.115
access-list 102 deny ip any host 192.168.191.116
access-list 102 deny ip any host 192.168.191.117
access-list 102 deny ip any host 192.168.191.118
access-list 102 deny ip any host 192.168.191.119
access-list 102 deny ip any host 192.168.191.120
access-list 102 deny ip any host 192.168.191.121
access-list 102 deny ip any host 192.168.191.122
access-list 102 deny ip any host 192.168.191.123
access-list 102 deny ip any host 192.168.191.124
access-list 102 deny ip any host 192.168.191.125
access-list 102 permit ip 192.168.192.0 0.0.0.255 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any any eq telnet
access-list 111 permit ip any host 66.xxx.xxx.xxx
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
control-plane
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
end
Any thoughts? Here is my config (some IP's were changed to protect the innocent).
Building configuration...
Current configuration : 6460 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname grouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip inspect name mtfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 3600
ip inspect name myfw udp timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip dhcp excluded-address 192.168.192.2
ip dhcp excluded-address 192.168.192.50
ip dhcp excluded-address 192.168.192.237
!
!
ip ips po max-events 100
ip domain name wishuponastar.com
ip name-server “outside dns server”
ip name-server 192.168.192.2
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group food
key somekindapassword
dns 192.168.192.2 64.65.208.6
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.192.254 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group 122 out
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
hold-queue 32 in
!
interface FastEthernet0/1
ip address 66.1.1.1 255.255.255.248
ip access-group 111 in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.191.100 192.168.191.125
ip classless
ip route 0.0.0.0 0.0.0.0 66.1.1.2
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.192.50 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.192.50 22 interface FastEthernet0/1 22
ip nat inside source static tcp 192.168.192.50 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.192.2 25 interface FastEthernet0/1 25
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
!
access-list 102 remark SDM_ACL Category=16
access-list 102 deny ip any host 192.168.191.100
access-list 102 deny ip any host 192.168.191.101
access-list 102 deny ip any host 192.168.191.102
access-list 102 deny ip any host 192.168.191.103
access-list 102 deny ip any host 192.168.191.104
access-list 102 deny ip any host 192.168.191.105
access-list 102 deny ip any host 192.168.191.106
access-list 102 deny ip any host 192.168.191.107
access-list 102 deny ip any host 192.168.191.108
access-list 102 deny ip any host 192.168.191.109
access-list 102 deny ip any host 192.168.191.110
access-list 102 deny ip any host 192.168.191.111
access-list 102 deny ip any host 192.168.191.112
access-list 102 deny ip any host 192.168.191.113
access-list 102 deny ip any host 192.168.191.114
access-list 102 deny ip any host 192.168.191.115
access-list 102 deny ip any host 192.168.191.116
access-list 102 deny ip any host 192.168.191.117
access-list 102 deny ip any host 192.168.191.118
access-list 102 deny ip any host 192.168.191.119
access-list 102 deny ip any host 192.168.191.120
access-list 102 deny ip any host 192.168.191.121
access-list 102 deny ip any host 192.168.191.122
access-list 102 deny ip any host 192.168.191.123
access-list 102 deny ip any host 192.168.191.124
access-list 102 deny ip any host 192.168.191.125
access-list 102 permit ip 192.168.192.0 0.0.0.255 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any any eq telnet
access-list 111 permit ip any host 66.xxx.xxx.xxx
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
control-plane
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
end