Access lists to lock down tunnel

Unanswered Question
Aug 18th, 2008

hey guys, easy stuff here.


-Router 1800 series

-LAN 10.77.77.0/24

-Public IP 69.69.69.4


-Remote router 800 series

-Remote Office LAN 10.66.66.0/24

-Remote Office Public IP 60.60.60.5


Currently, there is a L2L tunnel using IPSec between the 2 networks and those inside LANs can communicate with each other without any problems.


The requirement now is to lock this tunnel down to allow only the following:


-Remote Office LAN (10.66.66.0/24) hosts should not access the internet. In fact, there are only 3 host (10.66.66.200 .201 and .202) and these 3 hosts should only be allowed access to 10.77.77.20 and to 10.77.77.21 on port tcp 9399, and nothing else.


How will this be accomplished?



Thanks in advanced


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 08/18/2008 - 06:51

access-list 100 permit tcp host 10.66.66.200 host 10.77.77.20 eq 3999

access-list 100 permit tcp host 10.66.66.200 host 10.77.77.21 eq 3999


and repeat the same ACL entries for other three clients 201 and 202


then apply it on the outside interface in the inbound direction


like

interface [port]

ip access-group 100 in


if wonder where is the deny

after each ACL there is in the end deny called implicit deny


so evry thing not permited in the above ACL will be denied


if u want to make explicite deny just add the following line after u finish all the entries


access-list 100 deny ip any any


good luck


please, if helpful Rate

insccisco Mon, 08/18/2008 - 09:53

This is what confuses me. If the traffic is originating from the inside LAN (and this is exactly the traffic we want to deny to anything except to those hosts), why will we apply the access list to the Outside interface?


And to make me confuse even more, why will we tell the outside interace that the access-list is applied in the IN direction?? I thought the traffic coming from the outside world and destined to our Outside Interface will be considered as IN direction.



Marwan ALshawi Mon, 08/18/2008 - 16:19

ohh sorry mate i thought this traffic is coming to u thorugh VPN


ok

if u want the only the above traffic to go through VPN


make the ACLs i have mentioned above

then


inthe crypto map config included in the interesting traffic with the command


match address 100


this way only the traffic allwed in the ACL will bring up the VPN tunnel


for internet

the same ACL which is allow only hosts to access the servers on the spesified port

apply it on the remote route inside interface in the inbound direction

in other words

all the above config in the remote site (close to the hosts u want to restrect them)


do the ACL 100 as i mentioned above finish all its entries apply it for vpn interesting traffic and inbound in the inside interface of the remote router

hope this time helpful :) sorry about the misunderstanding


please, if helpful Rate


if u need any more details just post it here


good luck

Actions

This Discussion