ACL question

Unanswered Question
Mar 12th, 2007
User Badges:

I have a router with an interface facing the internet. I want to use this router to setup LAN-to-LAN IPsec VPN's. I want to implement an ACL on that interface to protect my router and network. I want to allow only VPN traffic. What the access list should look like (assuming I'm using the ip address on my router interface)

Thanks in advance..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abdel_n Mon, 03/12/2007 - 13:01
User Badges:

Hi Ahmed,

When filtering at the edge, there is no too much to see:

IKE protocol --> idp 500

IPSec protocols:

ESP protocol --> ip protocol 50

AH protocol ---> ip protocol 51

For NAT transparency:

udp 4500 or tcp (port number has to be configured)

So the acces-list looks like:


Router(config)#access-list 100 permit esp

Router(config)#access-list 100 permit ahp

Router(config)#access-list 100 permit udp eq 500

Router(config)#access-list 100 permit udp eq 4500

!!!And assign it to the interface to which the crypto map is bound

Router(config-if)#ip access-group 100 in


You can set also a symmetric acl at the IPSec peer in other side.

I hope this will help.

Have a good work!



This Discussion