Hub and Spoke Access List config question

Unanswered Question
Mar 23rd, 2009

So I've got a hub and spoke config setup between three sites (reston, DC, and NY with DC being the middle site btwn the other two) currently up and operational (thanks, acomiskey). All is good to go, but I wanted to lock down some ports/services and don't have much experience with access lists.

I'm only going to be doing rsync over TCP port 873 between DC and NY (DC will be doing an RSYNC pull from NY only). I'd also like to have ICMP for troubleshooting, as well, if possible.

I also wanted to only allow SSH access and icmp *from* Reston to DC, so the only thing Reston can do is SSH and PING the DC hosts.

Right now Reston can get to NY through DC (hence the hub and spoke). I'd like for that to continue after locking down rsync between DC and NY.

Hope that's not too confusing :) Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

The sample configuration in the below URL shows a hub and spoke IPsec design between three routers. This configuration differs from other hub and spoke configurations because in this example, communication is enabled between the spoke sites by going through the hub. In other words, there is not a direct IPsec tunnel between the two spoke routers. All packets are sent across the tunnel to the hub router where it redistributes them out the IPsec tunnel shared with the other spoke router.


please find access-list you may req to configure at Reston and likewise you coudl make for the other sites as well

At Reston

no access-list 100 extended permit ip

access-list 100 extended line 1 permit tcp eq 873 log

access-list 100 extended line 2 permit tcp eq 22 log

access-list 100 extended line 3 permit icmp eq echo log

access-list 100 extended line 4 permit icmp eq echo-reply log

access-group 100 in interface inside



This Discussion