Hi Tyson The split dns will solve the purpose but I see that the IPSec SAs are modifed for only one case - EzVPN client with no virtual-template in network-extension mode
*EzVPN client with no virtual-template in client mode* ** local ident (addr/mask/prot/port): pool network from pool remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) *EzVPN client with no virtual-template in network-extension mode* local ident (addr/mask/prot/port): inside interface network remote ident (addr/mask/prot/port): split dns network *EzVPN client with virtual-template in client mode* ** local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) *EzVPN client with virtual-template in network-extension mode* local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) With regards Kings On Fri, Oct 23, 2009 at 9:00 AM, Tyson Scott <[email protected]> wrote: > Your split tunnel list should be able to define what networks you will > allow in. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Paul Stewart > *Sent:* Thursday, October 22, 2009 10:07 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] EZ VPN on IOS > > > > I have been messing around with EZ VPN and various configurations. With > the EZ VPN client in NEM, it inserts the SA's into my router as expected. > My question is is there a way on the router acting as a EZ VPN Server to > restrict what SA's can be inserted by an EZ VPN client in network extension > mode? Just thinking there must be a way to prevent NEM from the server, or > restrict the SA's that can be automatically created on the server by the > client. I think there is a group-policy for this on the ASA (like nem > disable), but I am overlooking something similar on the router platform. If > anyone knows how this is done, let me know. If not, I'll post back when I > figure it out. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
