Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
2
Replies

Limiting Internet access with VPN setup

r-remien
Level 1
Level 1

‎03-28-2002 12:44 PM - edited ‎03-01-2019 09:04 PM

I have a remote office that is connected via site to site VPN from a 1720 router (remote office) to Pix (HQ). The remote office has its own T1. The users in the remote office go across the VPN for LAN/WAN resources and go straight out the T1 to the Internet. I have used the route-map command to specify which subnets are allowed over the VPN and which are directed towards the Internet. I bascially followed the sample doc at http://www.cisco.com/warp/public/110/39.html

Here are the relevant config lines:

HQ LAN subnet - 10.1.1.0/24

HQ LAN subnet - 10.1.2.0/24

Remote LAN subnet - 172.16.1.0/24

Remote WAN subnet - 172.30.1.0/24

Here is my setup on the router:

crypto map catcher

match address 120

ip nat pool remote 172.30.1.10 172.30.1.30 prefix-length 24

ip nat inside source route-map nonat pool remote

access-list 120 permit ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 120 permit ip 172.16.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 130 deny ip 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 130 deny ip 172.16.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 130 permit ip 172.16.1.0 0.0.0.0.255 any

route-map nonat permit 10

match ip address 130

I would like to limit all users that have a 172.16.1.230 or higher IP address on the remote LAN subnet from accessing the Internet. I tried changing the last line of access-list 130 to 172.16.1.0 0.0.0.229 but it did not work. Does anyone have an idea on how to make this to work?

TIA,

RJ

Labels:
0 Helpful
2 Replies 2

ruwhite
Level 7
Level 7

‎03-29-2002 06:22 AM

To keep all addresses above .130 from getting into the nat path, you should use this set of entries:

permit 172.16.1.0 0.0.0.223 (permits 0-223)

permit 172.16.1.224 0.0.0.3 (permits 224-227)

permit 172.16.1.228 0.0.0.1 (permits 228-229)

permit 172.16.1.230 0.0.0.0 (permits 230)

You can do this on the deny side as well:

deny 172.16.1.231 host

deny 172.16.1.232 0.0.0.7

deny 172.16.1.240 0.0.0.15

ip subnet'r will figure these out for you on a palm pilot.... I'm working on a new version currently, to be released when I finish my networkers presentations and I get around to it.... :-)

Russ

0 Helpful

r-remien
Level 1
Level 1
In response to ruwhite

‎03-29-2002 08:55 AM

Are you saying that in my last line which was

access-list 130 permit ip 172.16.1.0 0.0.0.229 - that I should break it down to the 4 entries above? I want the whole 255

subnet to be able to access resources on the VPN but only the first 230

to go out to the Internet which is what the last line in access-list 130

does.

0 Helpful
Customers Also Viewed These Support Documents