ACL on the router

Unanswered Question
Sep 24th, 2009

In our core switch we deployed a ACL to filter the traffic coming into our network by IP access-list command binding on the WAN interface

and we have interface overload command based on the access-list to allow LAN traffic going out

we deployed a new site to site VPN to branch office and now i need to restrict the traffic before going in and out the VPN ( VPN is established on the firewall) i am routing the traffic from my core switch to firwall

what i need is how i can route traffic to my firewall after inspecting traffic based on the ACL

since i cannot achieve on firewall since in encryption domain we cannot allow port based ACL

Can any one suggest me

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Sat, 09/26/2009 - 11:17

Hello Vinoth,

your question is not clear.

If you add a new site to site VPN you probably need to modify NAT configuration to avoid to translate traffic that has to be sent to the FW for encryption.

You can use PBR on receiving interface to send to firewall traffic for the new site to site VPN.

the ACL for NAT if extended has to deny traffic to the site to site VPN.


central site

new remote site

access-list 121 deny ip

access-list 121 permit ip 10.10.0.

0 any

second line is for traffic to internet that has to be translated.

First line takes case of VPN traffic that is denied = not NATTED

Hope to help



This Discussion