05-14-2009 03:07 PM - edited 03-11-2019 08:32 AM
Hi guys,
I need to lock down the outside interface on an 871 router which is currently having a L2L tunnel with a remote router. I need to apply an ACL to the outside interface of this 871 and to allow ONLY the remote router to communicate with my 871 for the purpose of the tunnel. Everything else will be blocked.
Can you tell me what are the exact protocols and port numbers that I need to allow?
It is an IPsec tunnel embedded on a GRE tunnel. The IP address of the remote router is 60.60.60.25
thanks
05-15-2009 07:00 AM
GRE packets are encapsulated within IP will use IP protocol type 47.
access-list 187 permit gre host 60.60.60.25 host (871 public IP)
Hope that helps.
05-18-2009 05:40 AM
Will this be the only thing I'd need? I have a customer that has the following access-lists applied to the outside interface:
access-list 120 permit gre host 68.68.18.3 host 10.0.0.30
access-list 120 permit udp host 68.68.18.3 host 10.0.0.30 eq isakmp
access-list 120 permit esp host 68.68.18.3 host 10.0.0.30
access-list 120 permit udp host 68.68.18.3 host 10.0.0.30 eq non500-isakmp
I always see hits on access lists "eq isakmp" and on "eq non-500-isakmp"...
So wouldn't this mean that I will need these access lists as well?
05-19-2009 05:18 AM
If you had a GRE tunnel and encrypting the packets inside of it, no. Sounds like you're not doing that though and will need isakmp and esp opened up.
05-21-2009 08:38 AM
I see. Then why is it that I see a lot of hits on the other access lists?
That was also my understanding that on a GRE tunnel, the GRE thing happens first and all traffic is encrypted, thus no need to allow/open anything else except the GRE stuff on the outside access list
05-21-2009 10:28 AM
You are correct, that's why I'm thinking that maybe the GRE is running inside an IPSec tunnel. Can you post a config?
05-21-2009 10:37 AM
are you asking for the crypto ACL or the interface ACL?
05-21-2009 01:19 PM
here's the config. How do you tell which one is happening first?
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 DZY`gTaKIA^EKE[PYKghPS^QaOaDRHWO_AAB address 66.66.66.3 no-xauth
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 20 ipsec-isakmp
set peer 66.66.66.3
set transform-set myset
match address gre_tunnel
interface Tunnel1
ip address 10.10.10.2 255.255.255.0
ip mtu 1400
tunnel source 10.0.0.30
tunnel destination 66.66.66.3
tunnel mode ipip
interface FastEthernet4
ip address 10.0.0.30 255.255.255.0
ip access-group 120 in
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
interface Vlan2
ip address 10.200.10.1 255.255.255.0
router eigrp 1
passive-interface Vlan2
network 10.10.10.0 0.0.0.255
network 10.200.10.0 0.0.0.255
no auto-summary
ip access-list extended gre_tunnel
permit ip host 10.0.0.30 host 66.66.66.3
05-21-2009 01:41 PM
Where is your GRE ACL?
Should look something like this-
access-list 120 permit gre host 69.222.73.5 host 69.222.73.6
Also, the tunnel source is a private IP and the tunnel destination is a public IP. Shouldn't it be public-to-public? Does a show interface Tunnel1 show traffic passing? I assume that a show crypto isa sa shows a connection?
05-21-2009 01:47 PM
the tunnel source being a private is no problem. actually that was done by Cisco taz, I guess the public one was not working...
well, based on the config I sent, what is happening first? is gre inside ipsec or vice-versa?
05-22-2009 06:00 AM
Hey, once again, based on the config I sent, is GRE running inside an IPSec tunnel or is IPSec running inside GRE?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: