I was thinking the split tunnel should define this as well. My logic was to use an extended ACL to define both the source and destination networks. When I tried it, first without a split acl and then with a split. It seemed that even when my split ACL did not define anything that looked like the SA's that were being created. It seemed as though somehting was cached, but I cleared all the SA's on both ends and disconnected the client. I'm sure it is a bug with me or the IOS. More than likely me. I'll try it again later.
On Thu, Oct 22, 2009 at 11:30 PM, Tyson Scott <[email protected]> wrote: > Your split tunnel list should be able to define what networks you will > allow in. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Paul Stewart > *Sent:* Thursday, October 22, 2009 10:07 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] EZ VPN on IOS > > > > I have been messing around with EZ VPN and various configurations. With > the EZ VPN client in NEM, it inserts the SA's into my router as expected. > My question is is there a way on the router acting as a EZ VPN Server to > restrict what SA's can be inserted by an EZ VPN client in network extension > mode? Just thinking there must be a way to prevent NEM from the server, or > restrict the SA's that can be automatically created on the server by the > client. I think there is a group-policy for this on the ASA (like nem > disable), but I am overlooking something similar on the router platform. If > anyone knows how this is done, let me know. If not, I'll post back when I > figure it out. >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
