access-list for cisco 1841 ipsec vpn

Unanswered Question
Sep 20th, 2007
User Badges:

Hi all. Below is a small portion of my cisco 1841 config.


crypto map mapname 10 ipsec-isakmp

set peer x.x.x.x

set transform-set myset

match address 120


access-list 120 permit ip 192.168.9.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 80

access-list 120 deny ip 192.168.9.0 0.0.0.255 172.16.1.0 0.0.0.255


Base on the above codes i would like to know if the access-list 120 can be use to restrict access only to port 80 and nothing else on the subnet 172.16.1.0 since it is used in crypto map. Because i thought crypto map is only use to determine which traffic to encrypt and not use to deny/permit traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mfreijser Thu, 09/20/2007 - 02:26
User Badges:
  • Bronze, 100 points or more

The crypto map access-list can indeed be used to restrict access to certain ports or networks. Only the access-list you created will not be accepted by the router and has a line that is unnecessary.


Here's the access-list that should work:

access-list 120 permit tcp 192.168.9.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 80


There is an explicit deny at the bottom of each access-list, so a deny rule is in this case unnecessary. The first ruly won't be accepted because you may not specify a port (eq 80) on a rule that's configured for ip traffic instead of only tcp traffic.


You are right about the fact that a crypto map access-list is not made to determine which traffic is permitted or denied. But if the traffic will not be sent across the tunnel if it doesn't match the crypto access-list! You can interpret that as a deny :) So only traffic that should be able to go over the tunnel should be stated in the crypto map access-list! Object-groups are a great help for creating smaller access-lists!


Please rate if the post is usefull!


Regards,


Michael

donnie Thu, 09/20/2007 - 16:35
User Badges:

Hi Michael,


Thank you very much for your reply. It clear my doubt about using crypto map in my cisco 1841 router. However my ipsec vpn is between cisco1841 and cisco pix515e. In my cisco pix 515e my vendor seems to use the normal accesslist which is applied on the internal interface to restrict outgoing vpn traffic, instead of using crypto map.


Below is the crypto map command use in my pix

access-list outside_cryptomap permit ip 172.16.1.0 255.255.255.0 192.168.9.0 255.255.255.0

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap


From the above command the accesslist use for crypto map only specify permit. However the restriction of vpn traffic is actually done using the normal accesslist which is applied to my internal interface. Hence my question is if the ciscopix 515e can also use cryptomap accesslist to restrict traffic? Thks in advance.

mfreijser Thu, 09/20/2007 - 23:17
User Badges:
  • Bronze, 100 points or more

You have to make sure that the crypto map access-lists are exactly the same on both sides, else you could get problems establishing the tunnel.


There is actually no difference in using the crypto map access-list or the normal access-list on the inside interface. Neither way will the unwanted traffic be passed over the vpn tunnel! It is only important that you use the same method on both sides.


Hope this information helps, please rate if it does!


Regards,


Michael


Actions

This Discussion