Hi, Looking for some help with a 1

[pmoorey]

Hi,

Looking for some help with a VPN routing issue...

I am connecting a Cisco VPN client via the internet to a Cisco ADSL 837 running Easy VPN server. The config is generating using SDM...

I am able to establish the tunnel, and connect/ping to Ethernet0 interface of router... however not to any of the devices on the remote subnet.

The address assigned to the VPN client is one of 4 addresses on the same subnet as the remote devices.

when tracerting from VPN client packets are being routed out of the dial0 interface to the public ip add.

Tracing route to 192.168.2.5 over a maximum of 30 hops

1 56 ms 57 ms 58 ms 88-10x-3x-23x.dynamic.dsl.as9105.com [88.10x.3x.23x]
2 ^C

The routing table is also very strange...I've no idea what the 172. addresses are...

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

21x.7x.11x.0/32 is subnetted, 1 subnets
C 212.74.111.189 is directly connected, Dialer0
88.0.0.0/32 is subnetted, 1 subnets
C 88.10x.3x.23x is directly connected, Dialer0
192.168.2.0/24 is variably subnetted, 5 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Ethernet0
S 192.168.2.202/32 [1/0] via 172.207.110.245
S 192.168.2.203/32 [1/0] via 172.207.110.245
[1/0] via 172.188.67.6
S 192.168.2.200/32 [1/0] via 212.39.160.222
[1/0] via 172.207.110.245
S 192.168.2.201/32 [1/0] via 172.207.110.245
S* 0.0.0.0/0 is directly connected, Dialer0

Config follows....

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HomeGateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 informational
logging console critical
enable secret 5 xxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool LocalLan
network 192.168.2.0 255.255.255.0
default-router 192.168.2.33
dns-server 21x.3x.16x.2x
!
!
ip cef
ip domain name xxxxx.co.uk
ip name-server 21x.3x.16x.2x
ip name-server 21x.3x.16x.2x
no ip bootp server
ip port-map http port tcp 80 list 3 description HTTP
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3978172803
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3978172803
revocation-check none
rsakeypair TP-self-signed-3978172803
!
!
crypto pki certificate chain TP-self-signed-3978172803
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393738 31373238 3033301E 170D3032 30333031 30333532
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39373831
37323830 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E8D1 41952927 4DED0094 80E6EF4F 2DAC0153 7CBE7EA4 16B67311 B7ACD794
CD5078AB C9E2F710 9C9A99E3 BEFC0AE8 384C17D6 1134F575 708F28E8 08D836D7
D72756D5 16241D5E 16EDBEC1 910BB1E4 6C387AB7 D575A1F3 25573A0D 52A9581F
72BB837C E1BF352E 18173A77 0365BFDA 88EB2545 A01D816D 8A3DD8E5 F14F7D8E
34890203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19486F6D 65476174 65776179 2E706D6F 6F726579 2E636F2E
756B301F 0603551D 23041830 1680141E 6DE533A0 AD9FE228 8A15D675 61F08090
601D4B30 1D060355 1D0E0416 04141E6D E533A0AD 9FE2288A 15D67561 F0809060
1D4B300D 06092A86 4886F70D 01010405 00038181 003319A3 00F976CF E36AC5A1
26FA9D39 E23B7C04 86ADB2EC 785DFD06 DFE788FF 5491A0D6 0AEA8E92 CC7F9892
45B34199 74AFFF02 28FB45EA F773676A FEDF897A FAF1117D BCFAAB63 1D829C13
7BC1733C 4CEC6FD2 800CE2E7 8786CB72 9C16EFF1 64FB2543 2CB43CD3 3F28E795
AE3693FD FADA901F 50164EAF 6B9B447B 8E310920 9F
username louise privilege 15 password 7 05180F012F495C5B4B
!
!
ip tcp synwait-time 10
ip ftp username anonymous
ip ftp password 7 135143465F58507E7F707C6761
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any SDM-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any SDM-Signaling-1
match dscp cs3
match dscp af31
class-map match-any SDM-Scavenger-1
match dscp cs1
class-map match-any SDM-Routing-1
match dscp cs6
class-map match-any SDM-Voice-1
match dscp ef
class-map match-any SDM-Streaming-Video-1
match dscp cs4
class-map match-any SDM-Management-1
match dscp cs2
class-map match-any SDM-Interactive-Video-1
match dscp af41
class-map match-any SDM-BulkData-1
match dscp af11
match dscp af12
match dscp af13
!
!
policy-map SDM-QoS-Policy-1
class SDM-Voice-1
priority percent 60
class SDM-Signaling-1
bandwidth percent 5
class SDM-Routing-1
bandwidth percent 1
class SDM-Management-1
bandwidth percent 1
class SDM-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Remote_Access
key xxxxxx
dns 21x.3x.16x.2x 21x.3x.16x.2x
domain xxxxxx.co.uk
pool SDM_POOL_1
acl 100
save-password
max-users 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
qos pre-classify
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.2.33 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip nat inside
ip virtual-reassembly
ip route-cache flow
hold-queue 100 out
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
hold-queue 100 out
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 244 in
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
speed auto
full-duplex
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxx@xxx.com
ppp chap password 7 xxxxxxxxxxxx
crypto map SDM_CMAP_1
service-policy output SDM-QoS-Policy-1
!
ip local pool SDM_POOL_1 192.168.2.200 192.168.2.204
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 192.168.2.3 21 interface Dialer0 21
ip nat inside source static tcp 192.168.2.3 80 interface Dialer0 80
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 deny any
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.2.3
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip any host 192.168.2.200
access-list 101 deny ip any host 192.168.2.201
access-list 101 deny ip any host 192.168.2.202
access-list 101 deny ip any host 192.168.2.203
access-list 101 deny ip any host 192.168.2.204
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.200
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.201
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.202
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.203
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.204
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.33 eq telnet
access-list 102 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.33 eq 22
access-list 102 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.33 eq www
access-list 102 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.33 eq 443
access-list 102 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.33 eq cmd
access-list 102 permit udp 192.168.2.0 0.0.0.255 host 192.168.2.33 eq snmp
access-list 102 deny tcp any host 192.168.2.33 eq telnet
access-list 102 deny tcp any host 192.168.2.33 eq 22
access-list 102 deny tcp any host 192.168.2.33 eq www
access-list 102 deny tcp any host 192.168.2.33 eq 443
access-list 102 deny tcp any host 192.168.2.33 eq cmd
access-list 102 deny udp any host 192.168.2.33 eq snmp
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip host 192.168.2.200 any
access-list 103 permit ip host 192.168.2.201 any
access-list 103 permit ip host 192.168.2.202 any
access-list 103 permit ip host 192.168.2.203 any
access-list 103 permit ip host 192.168.2.204 any
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq www
access-list 103 remark Access to FTP Server
access-list 103 permit tcp any host 192.168.2.3 eq ftp
access-list 103 remark Access to

http://WWW Server

access-list 103 permit tcp any host 192.168.2.3 eq

http://www log

access-list 103 remark Permit DNS Lookups
access-list 103 permit udp host 212.39.160.23 eq domain any
access-list 103 remark Permit DNS Lookups
access-list 103 permit udp host 212.39.160.22 eq domain any
access-list 103 remark Permit VPN In
access-list 103 permit ahp any any
access-list 103 remark Permit VPN In
access-list 103 permit esp any any
access-list 103 remark Permit VPN In
access-list 103 permit udp any any eq isakmp
access-list 103 remark Permit VPN In
access-list 103 permit udp any any eq non500-isakmp
access-list 103 remark Permit VPN Hosts to Internal Network
access-list 103 permit ip host 192.168.2.204 192.168.2.0 0.0.0.255
access-list 103 remark Permit VPN Hosts to Internal Network
access-list 103 permit ip host 192.168.2.203 192.168.2.0 0.0.0.255
access-list 103 remark Permit VPN Hosts to Internal Network
access-list 103 permit ip host 192.168.2.202 192.168.2.0 0.0.0.255
access-list 103 remark Permit VPN Hosts to Internal Network
access-list 103 permit ip host 192.168.2.201 192.168.2.0 0.0.0.255
access-list 103 remark Permit VPN Hosts to Internal Network
access-list 103 permit ip host 192.168.2.200 192.168.2.0 0.0.0.255
access-list 103 deny ip 192.168.2.0 0.0.0.255 any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 deny ip any any
dialer-list 1 protocol ip permit
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
banner login ^CThis is a monitored system. Unauthorised access is not permited. Logoff now i
f you are not permitted to access this system^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 104 in
password 7 xxxxxxxxxxxxxx
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500


Peter
CCNA, Cisco Qualified Specialist

 

[burtsbees]

First off...visit this site...

http://www.kazmier.com/computer/cisco-apps.html

enter everything after "password 7 ", like what is says in your config...
so you would enter "05180F012F495C5B4B", from the line in your config that says "username louise privilege 15 password 7 05180F012F495C5B4B"
In other words, substitute the encrypted password with "xxxxxxxxxx" when posting your config next time. And do this...
router#conf t
router(config)#service password-encryption
They are easy to crack, as you can see...
Second, ...
router(config)#no access-list 101
router(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 any
router(config)#int di0
router(config-if)#no ip access-group 103 in
router(config-if)#exit
router(config)#no ip port-map http port tcp 80 list 3 description HTTP
router(config)#int e0
router(config-if)#no ip access-group 102 in
router(config-if)#end
router#
See what that does.

Burt

 

[pmoorey]

I didn't realise that I left a userid in the config...

The access lists are not applied to the interfaces any more, however the problem remains.

There is a definate routing issue...

router#sh ip route 192.168.2.200
Routing entry for 192.168.2.200/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
21x.3x.16x.22x (CORRECT ADDRESS)
Route metric is 0, traffic share count is 1
* 172.207.110.245 (UNKNOWN ADDRESS seemly something to do with AOL which I don't even use)
Route metric is 0, traffic share count is 1



Peter
CCNA, Cisco Qualified Specialist

 

[burtsbees]

Norton?

Burt

 

[plshlpme]

did you make these changes?

router(config)#no access-list 101
router(config)#access-list 101 permit ip 192.168.2.0 0.0.0.255 any

if so then you will need to change your pool that your vpn users are given.. they need to be on a different subnet. or explicitly denied in your nat access-list.

once a vpn session is established you dont want that traffic to be natted.

 

[burtsbees]

Whoops...good catch.

Burt

 

[burtsbees]

Post a
sh access-list

Burt

 

[burtsbees]

By the way, what I overlooked and what you posted is what fixed mine! You get a star bro.

Burt

 

[plshlpme]

sweet man.

 

[pmoorey]

Hi,

I did at one point have it working with the VPN client getting an address on the same subnet (192.168.2.0/24)... however not any longer.

Can anyone throw in a suggestion as to why the spare IP addresses are in the routing table with an AOL address as a next hop... I find that very unusual...

I am going to re-do the VPN wizard and create a pool in a different subnet...

Peter
CCNA, Cisco Qualified Specialist

 

[burtsbees]

All you have to do is...
router#sh access-lists
It then shows you like...

2620XM_AdvEnter#sh access-lists
Standard IP access list 1
10 permit 10.0.0.0, wildcard bits 0.255.255.255
Extended IP access list 101
10 permit ip 10.0.0.0 0.255.255.255 any (2333 matches)
Extended IP access list 102
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any (6 matches)
40 permit ip any any (387671 matches)
Extended IP access list 103
10 permit ip 10.0.0.0 0.255.255.255 any
Extended IP access list 110
10 permit tcp any any eq ftp
Extended IP access list 151
10 permit tcp any host 10.0.0.8
Extended IP access list 152
10 permit tcp any host 10.0.0.69 (4304 matches)
That is the output of mine...when I fixed mine so that I could RDC into my Windows boxes when VPN'd in, I did this...

2620XM_AdvEnter#conf t
2620XM_AdvEnter(config)#ip access-list extended 101
2620XM_AdvEnter(config-ext-nacl)#no 10
2620XM_AdvEnter(config-ext-nacl)#10 deny ip any host 10.0.0.15
2620XM_AdvEnter(config-ext-nacl)#15 deny ip any host 10.0.0.16
That was to ensure that the two addresses I have reserved for VPN from the dhcp pool did not get NATted, which then allowed me to RDC into Windows boxes in my network when I VPN'd...thanks to plshlpme.
Here's a complete config, if it will help give you more clues...
2620XM_AdvEnter#sh run
Building configuration...
Current configuration : 4095 bytes
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption
hostname 2620XM_AdvEnter
boot-start-marker
boot-end-marker
security authentication failure rate 2 log
enable secret 5 x
aaa new-model
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
aaa session-id common
resource policy
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
ip tcp intercept list 152
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.8
ip dhcp excluded-address 10.0.0.69
ip dhcp excluded-address 10.0.0.97
ip dhcp pool whachyootalkinboutwillis
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
no ip bootp server
ip domain name local
username xxxxxxxxxxxx privilege 15 password 0 xxxxxxxxxxxx
username xxxxxxxx privilege 15 password 0 xxxxxxxxx
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxxxxxxx
key xxxxxxxx
pool vpn_pool_1
max-users 2
netmask 255.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
interface ATM0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0/0.1 point-to-point
no snmp trap link-status
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1

interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
no ip redirects
ip mtu 1492
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/1
ip address 192.168.1.1 255.255.255.0
no ip redirects
encapsulation frame-relay
no fair-queue
frame-relay map ip 192.168.1.2 102 broadcast
interface Dialer0
ip address negotiated
ip access-group 102 in
no ip redirects
ip nat outside
ip virtual-reassembly
rate-limit input access-group 100 512000 1024000 2048000 conform-action transmit exceed-action drop
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxx password 0 xxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
interface Dialer1
no ip address
rate-limit output access-group 100 64000 128000 256000 conform-action transmit exceed-action drop
router rip
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.1.0
no auto-summary
ip local pool vpn_pool_1 10.0.0.15 10.0.0.16
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 10.0.0.8 21 interface Dialer0 21
ip nat inside source route-map vpn_routemap_1 interface Dialer0 overload
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 101 deny ip any host 10.0.0.15
access-list 101 deny ip any host 10.0.0.16
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip any any
access-list 102 remark prevent_RFC1918_as_source
access-list 103 permit ip 10.0.0.0 0.255.255.255 any
access-list 110 permit tcp any any eq ftp
access-list 151 permit tcp any host 10.0.0.8
access-list 152 permit tcp any host 10.0.0.69
dialer-list 1 protocol ip permit
route-map vpn_routemap_1 permit 1
match ip address 101
control-plane
line con 0
password xxxxxx
logging synchronous
line aux 0
line vty 0 4
password xxxxxx
end

Burt

 

[burtsbees]

Oh---I also added
20 permit ip any any
to acl 101

Burt