Access List needed only to allow Site-to-Site tunnel

Unanswered Question
May 14th, 2009

Hi guys,

I need to lock down the outside interface on an 871 router which is currently having a L2L tunnel with a remote router. I need to apply an ACL to the outside interface of this 871 and to allow ONLY the remote router to communicate with my 871 for the purpose of the tunnel. Everything else will be blocked.

Can you tell me what are the exact protocols and port numbers that I need to allow?

It is an IPsec tunnel embedded on a GRE tunnel. The IP address of the remote router is 60.60.60.25

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Fri, 05/15/2009 - 07:00

GRE packets are encapsulated within IP will use IP protocol type 47.

access-list 187 permit gre host 60.60.60.25 host (871 public IP)

Hope that helps.

insccisco Mon, 05/18/2009 - 05:40

Will this be the only thing I'd need? I have a customer that has the following access-lists applied to the outside interface:

access-list 120 permit gre host 68.68.18.3 host 10.0.0.30

access-list 120 permit udp host 68.68.18.3 host 10.0.0.30 eq isakmp

access-list 120 permit esp host 68.68.18.3 host 10.0.0.30

access-list 120 permit udp host 68.68.18.3 host 10.0.0.30 eq non500-isakmp

I always see hits on access lists "eq isakmp" and on "eq non-500-isakmp"...

So wouldn't this mean that I will need these access lists as well?

Collin Clark Tue, 05/19/2009 - 05:18

If you had a GRE tunnel and encrypting the packets inside of it, no. Sounds like you're not doing that though and will need isakmp and esp opened up.

insccisco Thu, 05/21/2009 - 08:38

I see. Then why is it that I see a lot of hits on the other access lists?

That was also my understanding that on a GRE tunnel, the GRE thing happens first and all traffic is encrypted, thus no need to allow/open anything else except the GRE stuff on the outside access list

Collin Clark Thu, 05/21/2009 - 10:28

You are correct, that's why I'm thinking that maybe the GRE is running inside an IPSec tunnel. Can you post a config?

srue Thu, 05/21/2009 - 10:37

are you asking for the crypto ACL or the interface ACL?

insccisco Thu, 05/21/2009 - 13:19

here's the config. How do you tell which one is happening first?

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 6 DZY`gTaKIA^EKE[PYKghPS^QaOaDRHWO_AAB address 66.66.66.3 no-xauth

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map mymap 20 ipsec-isakmp

set peer 66.66.66.3

set transform-set myset

match address gre_tunnel

interface Tunnel1

ip address 10.10.10.2 255.255.255.0

ip mtu 1400

tunnel source 10.0.0.30

tunnel destination 66.66.66.3

tunnel mode ipip

interface FastEthernet4

ip address 10.0.0.30 255.255.255.0

ip access-group 120 in

ip virtual-reassembly

duplex auto

speed auto

crypto map mymap

interface Vlan2

ip address 10.200.10.1 255.255.255.0

router eigrp 1

passive-interface Vlan2

network 10.10.10.0 0.0.0.255

network 10.200.10.0 0.0.0.255

no auto-summary

ip access-list extended gre_tunnel

permit ip host 10.0.0.30 host 66.66.66.3

Collin Clark Thu, 05/21/2009 - 13:41

Where is your GRE ACL?

Should look something like this-

access-list 120 permit gre host 69.222.73.5 host 69.222.73.6

Also, the tunnel source is a private IP and the tunnel destination is a public IP. Shouldn't it be public-to-public? Does a show interface Tunnel1 show traffic passing? I assume that a show crypto isa sa shows a connection?

insccisco Thu, 05/21/2009 - 13:47

the tunnel source being a private is no problem. actually that was done by Cisco taz, I guess the public one was not working...

well, based on the config I sent, what is happening first? is gre inside ipsec or vice-versa?

insccisco Fri, 05/22/2009 - 06:00

Hey, once again, based on the config I sent, is GRE running inside an IPSec tunnel or is IPSec running inside GRE?

Actions

This Discussion