Kingsley that is interesting output. Thank you for sharing. I have noted before that although the SA often says 0.0.0.0. It will actually only forward to the server based on the split tunnel list.
At least that is what I have found when testing even though the SA states 0.0.0.0 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: Kingsley Charles [mailto:[email protected]] Sent: Friday, October 23, 2009 4:10 AM To: Tyson Scott Cc: Paul Stewart; [email protected] Subject: Re: [OSL | CCIE_Security] EZ VPN on IOS Hi Tyson The split dns will solve the purpose but I see that the IPSec SAs are modifed for only one case - EzVPN client with no virtual-template in network-extension mode EzVPN client with no virtual-template in client mode local ident (addr/mask/prot/port): pool network from pool remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) EzVPN client with no virtual-template in network-extension mode local ident (addr/mask/prot/port): inside interface network remote ident (addr/mask/prot/port): split dns network EzVPN client with virtual-template in client mode local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) EzVPN client with virtual-template in network-extension mode local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) With regards Kings On Fri, Oct 23, 2009 at 9:00 AM, Tyson Scott <[email protected]> wrote: Your split tunnel list should be able to define what networks you will allow in. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Thursday, October 22, 2009 10:07 PM To: [email protected] Subject: [OSL | CCIE_Security] EZ VPN on IOS I have been messing around with EZ VPN and various configurations. With the EZ VPN client in NEM, it inserts the SA's into my router as expected. My question is is there a way on the router acting as a EZ VPN Server to restrict what SA's can be inserted by an EZ VPN client in network extension mode? Just thinking there must be a way to prevent NEM from the server, or restrict the SA's that can be automatically created on the server by the client. I think there is a group-policy for this on the ASA (like nem disable), but I am overlooking something similar on the router platform. If anyone knows how this is done, let me know. If not, I'll post back when I figure it out. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
