Access lists to lock down tunnel

Unanswered Question
Aug 18th, 2008
User Badges:

hey guys, easy stuff here.

-Router 1800 series


-Public IP

-Remote router 800 series

-Remote Office LAN

-Remote Office Public IP

Currently, there is a L2L tunnel using IPSec between the 2 networks and those inside LANs can communicate with each other without any problems.

The requirement now is to lock this tunnel down to allow only the following:

-Remote Office LAN ( hosts should not access the internet. In fact, there are only 3 host ( .201 and .202) and these 3 hosts should only be allowed access to and to on port tcp 9399, and nothing else.

How will this be accomplished?

Thanks in advanced

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Mon, 08/18/2008 - 06:51
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

access-list 100 permit tcp host host eq 3999

access-list 100 permit tcp host host eq 3999

and repeat the same ACL entries for other three clients 201 and 202

then apply it on the outside interface in the inbound direction


interface [port]

ip access-group 100 in

if wonder where is the deny

after each ACL there is in the end deny called implicit deny

so evry thing not permited in the above ACL will be denied

if u want to make explicite deny just add the following line after u finish all the entries

access-list 100 deny ip any any

good luck

please, if helpful Rate

insccisco Mon, 08/18/2008 - 09:53
User Badges:

This is what confuses me. If the traffic is originating from the inside LAN (and this is exactly the traffic we want to deny to anything except to those hosts), why will we apply the access list to the Outside interface?

And to make me confuse even more, why will we tell the outside interace that the access-list is applied in the IN direction?? I thought the traffic coming from the outside world and destined to our Outside Interface will be considered as IN direction.

Marwan ALshawi Mon, 08/18/2008 - 16:19
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ohh sorry mate i thought this traffic is coming to u thorugh VPN


if u want the only the above traffic to go through VPN

make the ACLs i have mentioned above


inthe crypto map config included in the interesting traffic with the command

match address 100

this way only the traffic allwed in the ACL will bring up the VPN tunnel

for internet

the same ACL which is allow only hosts to access the servers on the spesified port

apply it on the remote route inside interface in the inbound direction

in other words

all the above config in the remote site (close to the hosts u want to restrect them)

do the ACL 100 as i mentioned above finish all its entries apply it for vpn interesting traffic and inbound in the inside interface of the remote router

hope this time helpful :) sorry about the misunderstanding

please, if helpful Rate

if u need any more details just post it here

good luck


This Discussion