Anyone,
I've been scratching my head for an hour or so regarding Cisco EzVPN and multiple spokes. Googling sample configs seems to not turn up any that cover multiple spokes. My problem is I've got a hub (Cisco 871, running 12.4T) with a static address, and a couple spokes, dynamic addresses on the WAN interfaces. Spoke to hub always works fine, but the ACL that controls what to put in the IPSec tunnel is eluding me. The clients seem to support an ACL, but that didn't seem to work. Our config requires NAT overload for anything internet bound that we don't want to send to another spoke or the hub. What seems to work now is an ACL on the hub that permits traffic from its internal interface to the spoke internal interfaces, and then permits for spoke A internal subnet to spoke B. What is troubling is that 'show cry ips client ez' on the spokes looks like this: Save Password: Allowed Split Tunnel List: 1 Address : 192.168.0.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Split Tunnel List: 2 Address : 192.168.200.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Split Tunnel List: 3 Address : 192.168.10.0 Mask : 255.255.255.0 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: ((hub WAN IP ADDRESS)) This seems to indicate that the ACL only cares about the source, and the use of an extended ACL isn't needed. But standard ACL didn't seem to work. The config guides I found aren't clear on ACL format. At this point I'd like to see a good running config of what it is supposed to look like, or at least a good doc that covers more than one spoke. I'm not looking for direct spoke to spoke traffic, just spoke to spoke via the hub is fine. This is the URL I've been trying to follow, but I'm only getting so far with it: http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-easy-vpn/p rod_white_paper0900aecd80313bd6.pdf Thanks, Chuck _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/