ACL question

Unanswered Question
Mar 12th, 2007
User Badges:

I have a router with an interface facing the internet. I want to use this router to setup LAN-to-LAN IPsec VPN's. I want to implement an ACL on that interface to protect my router and network. I want to allow only VPN traffic. What the access list should look like (assuming I'm using the ip address 1.1.1.1/28 on my router interface)


Thanks in advance..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abdel_n Mon, 03/12/2007 - 13:01
User Badges:

Hi Ahmed,


When filtering at the edge, there is no too much to see:

IKE protocol --> idp 500

IPSec protocols:

ESP protocol --> ip protocol 50

AH protocol ---> ip protocol 51

For NAT transparency:

udp 4500 or tcp (port number has to be configured)


So the acces-list looks like:

!!!

Router(config)#access-list 100 permit esp 1.1.1.1 0.0.0.15

Router(config)#access-list 100 permit ahp 1.1.1.1 0.0.0.15

Router(config)#access-list 100 permit udp 1.1.1.1 0.0.0.15 eq 500

Router(config)#access-list 100 permit udp 1.1.1.1 0.0.0.15 eq 4500


!!!And assign it to the interface to which the crypto map is bound

Router(config-if)#ip access-group 100 in

!!!


You can set also a symmetric acl at the IPSec peer in other side.

I hope this will help.

Have a good work!


AJN


Actions

This Discussion