Port based ACL filter on L2L VPN with Routers

Unanswered Question
May 26th, 2009
User Badges:

Is it possible to define port-based ACL's (with-in crypto ACL) on L2L (site-to-site) VPN's with routers? Cisco seems to say it is possible, but not recommended.


Thanks,

Brandon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 05/26/2009 - 05:41
User Badges:
  • Purple, 4500 points or more

Brandon-


It is possible (we have one tunnel like that). The ACLs must match exactly on each side.


Hope that helps.

mbroberson1 Tue, 05/26/2009 - 06:23
User Badges:

Hi Collin,


So something like the below crypto-ACL on a router should work so long as the peer's ACL is a mirror image?


ip access-list extended xyz-company

permit tcp host 10.10.10.10 host 11.150.116.3 eq telnet 22 ftp www 443 8080 3052 5631 5632

permit tcp host 10.10.10.10 host 11.150.116.3 eq telnet 22 ftp www 443 8080 3052 5631 5632


Thanks,

Brandon

mbroberson1 Tue, 05/26/2009 - 06:27
User Badges:

Very cool.


I wonder why Cisco says it "should Work", but is not recommended on IOS (routers)?


Thanks,

Brandon

Collin Clark Tue, 05/26/2009 - 06:29
User Badges:
  • Purple, 4500 points or more

It is the most common thing people get wrong when configuring VPN's. A simple subnet-to-subnet ACL is a lot easier to troubleshoot.

mbroberson1 Tue, 05/26/2009 - 06:33
User Badges:

I got, makes sense. So configuring a basic L2L (site-to-site) VPN with between simple host or subnets AND filtering by just "IP" is much, much easier than filtering by protocol since you have to have an exact match on both sides.


Then it is not becuase of a performance or functionality issue that Cisco recommends against it.


Thanks,

Brandon

mbroberson1 Fri, 06/05/2009 - 12:17
User Badges:

Hi Collin,


I am having a bit of trouble trying to get this to work in a test lab using the routers. Can you please send a ACL and the key config snippets?


Thanks,

Brandon

Collin Clark Tue, 06/09/2009 - 05:47
User Badges:
  • Purple, 4500 points or more

Brandon-


This has a little extra since we have remote access VPN as well, but it should help in your testing.




Attachment: 
mbroberson1 Tue, 06/09/2009 - 07:39
User Badges:

Hi Collin,


Thanks for the example. Unless I am over looking it, isn't there supposed to be a route statement for the VPN to know how to get to the remote host?


Thanks,

Brandon

Collin Clark Tue, 06/09/2009 - 07:53
User Badges:
  • Purple, 4500 points or more

That's one of those weird things. In this example I don't have one, but in some others I need them. I've never found a determining factor of when one is needed or not.

mbroberson1 Tue, 06/09/2009 - 09:14
User Badges:

That's odd, and interesting at the same time.;-)


Thanks,

Brandon

Actions

This Discussion