stupid question: access list to restrict IPSEC VPN traffic?

Unanswered Question
Feb 12th, 2008

I've got a site-to-site IPSEC VPN tunnel working just fine between a couple of routers.

Aside from the "interesting traffic" access-list, is there any way for a 2nd access list to be applied to traffic *AFTER* it goes through the tunnel?

Or is the only proper way to restrict tunnel traffic via the "interesting access-list"?

(I only have control of one side of the tunnel, so obviously I can modify MY "interesting traffic" access list, but that only applies to outgoing traffic... I'd like to further restrict traffic incoming to my router on the tunnel without going through the bureaucracy of getting changes on the remote site's router)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
pciaccio Wed, 02/13/2008 - 03:26

The access-list you already have is the Crypto ACL that is the interesting traffic that kicks off the tunnel. Once the traffic is in your router you can create an additional ACL and apply it to your LAN interface on the OUTbound side to restrict the specific traffic you do not or do want....

thomasdzubin Wed, 02/13/2008 - 06:38

Thanks... I'm so used to apply access lists coming IN on the WAN interface, I didn't even think of applying an OUT access-list on the LAN side

husycisco Wed, 02/13/2008 - 08:08

Hi Thomas

Best practice for achieving what you want is applying filter ACL

This will prevent desired destined packets to be blocked before utilizing applience resources (CPU)and store-forward switching to outbound buffer unlike an outbound ACL since packet.

Also applying outbound ACL will have an impact which will be noticable according to your throughput since applience is going to match all outbound destined packets for specific ACL while vpn-filter value will only process on tunnel traffic



This Discussion