ACL on the router

vinoth.kumar · ‎09-24-2009

In our core switch we deployed a ACL to filter the traffic coming into our network by IP access-list command binding on the WAN interface

and we have interface overload command based on the access-list to allow LAN traffic going out

we deployed a new site to site VPN to branch office and now i need to restrict the traffic before going in and out the VPN ( VPN is established on the firewall) i am routing the traffic from my core switch to firwall

what i need is how i can route traffic to my firewall after inspecting traffic based on the ACL

since i cannot achieve on firewall since in encryption domain we cannot allow port based ACL

Can any one suggest me

Giuseppe Larosa · ‎09-26-2009

Hello Vinoth,

your question is not clear.

If you add a new site to site VPN you probably need to modify NAT configuration to avoid to translate traffic that has to be sent to the FW for encryption.

You can use PBR on receiving interface to send to firewall traffic for the new site to site VPN.

the ACL for NAT if extended has to deny traffic to the site to site VPN.

example:

central site 10.10.0.0/16

new remote site 10.100.100.0/23

access-list 121 deny ip 10.10.0.0 0.0.255.255 10.100.100.0 0.0.1.255

access-list 121 permit ip 10.10.0.

0 any

second line is for traffic to internet that has to be translated.

First line takes case of VPN traffic that is denied = not NATTED

Hope to help

Giuseppe