An easier solution if you really need to go down that path is to allow all down the vpn (no split tunnel) and have static persistent routes on the client, setup a script or something.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Looney Sent: Friday, 29 August 2008 10:25 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions > So that would be > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > permit ip any 10.2.60.0 0.0.0.255 > > But packets to 192.168.8.1 still go out through the tunnel. Well, yeah. Because it matches the access list. From the sounds of it, you need to list each local network specifically in the access list so it won't match. <obvious>That will be tricky.</obvious> B. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/