cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
277
Views
0
Helpful
3
Replies

Access lists to lock down tunnel

insccisco
Level 1
Level 1

hey guys, easy stuff here.

-Router 1800 series

-LAN 10.77.77.0/24

-Public IP 69.69.69.4

-Remote router 800 series

-Remote Office LAN 10.66.66.0/24

-Remote Office Public IP 60.60.60.5

Currently, there is a L2L tunnel using IPSec between the 2 networks and those inside LANs can communicate with each other without any problems.

The requirement now is to lock this tunnel down to allow only the following:

-Remote Office LAN (10.66.66.0/24) hosts should not access the internet. In fact, there are only 3 host (10.66.66.200 .201 and .202) and these 3 hosts should only be allowed access to 10.77.77.20 and to 10.77.77.21 on port tcp 9399, and nothing else.

How will this be accomplished?

Thanks in advanced

3 Replies 3

Marwan ALshawi
VIP Alumni
VIP Alumni

access-list 100 permit tcp host 10.66.66.200 host 10.77.77.20 eq 3999

access-list 100 permit tcp host 10.66.66.200 host 10.77.77.21 eq 3999

and repeat the same ACL entries for other three clients 201 and 202

then apply it on the outside interface in the inbound direction

like

interface [port]

ip access-group 100 in

if wonder where is the deny

after each ACL there is in the end deny called implicit deny

so evry thing not permited in the above ACL will be denied

if u want to make explicite deny just add the following line after u finish all the entries

access-list 100 deny ip any any

good luck

please, if helpful Rate

This is what confuses me. If the traffic is originating from the inside LAN (and this is exactly the traffic we want to deny to anything except to those hosts), why will we apply the access list to the Outside interface?

And to make me confuse even more, why will we tell the outside interace that the access-list is applied in the IN direction?? I thought the traffic coming from the outside world and destined to our Outside Interface will be considered as IN direction.

ohh sorry mate i thought this traffic is coming to u thorugh VPN

ok

if u want the only the above traffic to go through VPN

make the ACLs i have mentioned above

then

inthe crypto map config included in the interesting traffic with the command

match address 100

this way only the traffic allwed in the ACL will bring up the VPN tunnel

for internet

the same ACL which is allow only hosts to access the servers on the spesified port

apply it on the remote route inside interface in the inbound direction

in other words

all the above config in the remote site (close to the hosts u want to restrect them)

do the ACL 100 as i mentioned above finish all its entries apply it for vpn interesting traffic and inbound in the inside interface of the remote router

hope this time helpful :) sorry about the misunderstanding

please, if helpful Rate

if u need any more details just post it here

good luck

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: