ACL question

Ahmede · ‎03-12-2007

I have a router with an interface facing the internet. I want to use this router to setup LAN-to-LAN IPsec VPN's. I want to implement an ACL on that interface to protect my router and network. I want to allow only VPN traffic. What the access list should look like (assuming I'm using the ip address 1.1.1.1/28 on my router interface)

Thanks in advance..

abdel_n · ‎03-12-2007

Hi Ahmed,

When filtering at the edge, there is no too much to see:

IKE protocol --> idp 500

IPSec protocols:

ESP protocol --> ip protocol 50

AH protocol ---> ip protocol 51

For NAT transparency:

udp 4500 or tcp (port number has to be configured)

So the acces-list looks like:

!!!

Router(config)#access-list 100 permit esp 1.1.1.1 0.0.0.15

Router(config)#access-list 100 permit ahp 1.1.1.1 0.0.0.15

Router(config)#access-list 100 permit udp 1.1.1.1 0.0.0.15 eq 500

Router(config)#access-list 100 permit udp 1.1.1.1 0.0.0.15 eq 4500

!!!And assign it to the interface to which the crypto map is bound

Router(config-if)#ip access-group 100 in

!!!

You can set also a symmetric acl at the IPSec peer in other side.

I hope this will help.

Have a good work!

AJN