Hi Stuart - thanks for your reply. I wanted the route on the client routing table. I found when I used a DVTI interface on the hardware ezvpn client that the route appeared in the table by default. If I did not use DVTI, I could see the route in the client status using "show crypto ipsec client ezvpn" but to get to that route I had to specify the source as the auto created loopback, as no route was put into the routing table on the client. Can you use RRI on an EZVPN client? If so how do you enable it? For example on the VPN 3000 concentrator you can enable client RRI so the when the client receives the split tunnel value it creates a route in the routing table.
-----Original Message----- From: Stuart Hare [mailto:[email protected]] Sent: Saturday, January 16, 2010 7:40 PM To: Michael Davis Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Lab 4a Part 2 sec 4.10 Michael Split tunnelling itself is not used for route injection, it's purpose is to define the networks/traffic that will be encrypted across the VPN. If you want to insert a route for the vpn traffic into the devices table you would use RRI - reverse route injection. I am not fully familiar with lab 4 but this can be done using the reverse-route command in the crypto map / profile for instance. This effectively puts a static route into the table which you can redistribute to other devices via a dynamic routing protocol and the redistribute static command. Check out the reverse-route command for the relevant device cmd reference. Hth Stu Sent from my iPhone On 16 Jan 2010, at 07:53, Michael Davis <[email protected]> wrote: > Hello all – on lab 4a Part 2, task 4.10 – we assign a split > tunnel value for the R8 client to receive a route to 10.1.1.0. This > is fine. I can ping my ACS server from R8 using the auto created l > oop interface for the ipsec client as the source, but how would I pu > t the split tunnel route into the routing table on R8 so I do not ha > ve to ping the ACS server by source – So when the client connects fr > om R8 the split tunnel route enters the routing table though the ne > wly created loop interface? > > Is it a command I would put into the ASA1 group policy perhaps? > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
