Hi Collin,

So something like the below crypto-ACL on a router should work so long as the peer's ACL is a mirror image?

ip access-list extended xyz-company

permit tcp host 10.10.10.10 host 11.150.116.3 eq telnet 22 ftp www 443 8080 3052 5631 5632

permit tcp host 10.10.10.10 host 11.150.116.3 eq telnet 22 ftp www 443 8080 3052 5631 5632

Thanks,

Brandon

Yup

Very cool.

I wonder why Cisco says it "should Work", but is not recommended on IOS (routers)?

Thanks,

Brandon

It is the most common thing people get wrong when configuring VPN's. A simple subnet-to-subnet ACL is a lot easier to troubleshoot.

I got, makes sense. So configuring a basic L2L (site-to-site) VPN with between simple host or subnets AND filtering by just "IP" is much, much easier than filtering by protocol since you have to have an exact match on both sides.

Then it is not becuase of a performance or functionality issue that Cisco recommends against it.

Thanks,

Brandon

Hi Collin,

I am having a bit of trouble trying to get this to work in a test lab using the routers. Can you please send a ACL and the key config snippets?

Thanks,

Brandon

Brandon-

This has a little extra since we have remote access VPN as well, but it should help in your testing.

Hi Collin,

Thanks for the example. Unless I am over looking it, isn't there supposed to be a route statement for the VPN to know how to get to the remote host?

Thanks,

Brandon

That's one of those weird things. In this example I don't have one, but in some others I need them. I've never found a determining factor of when one is needed or not.

That's odd, and interesting at the same time.;-)

Thanks,

Brandon