Securing Site to Site VPN

Unanswered Question
Oct 20th, 2009
User Badges:

Hi All,

We are terminating a VPN on an 1800 series router. The networks that are negotiated during the phase 2 part of the setup are shown below, using the ACL...

ip access-list extended VPN_ACL

permit ip

This then allows all IP traffic between the 2 networks. My question is this....

What would be the best way to restrict the traffic, use an ACL outbound on the internal interface??? or any other recommendations would be great....

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bastien.migette Tue, 10/20/2009 - 07:16
User Badges:


If you use a tunnel interface, then you can put an ACL directly on it. If you don't, then think about it, but if you allow only the traffic that should be authorized in your tunnel on your crypto ACL, then I think traffic not matching will be dropped, or at least it won't be encapsulated then your ISP will drop it.

AxiomConsulting Tue, 10/20/2009 - 07:20
User Badges:

Thanks so much for your reply. How would I use the tunnel interface? I dont suppose you have any good documentation you could point me to.

Cheers again


AxiomConsulting Tue, 10/20/2009 - 08:22
User Badges:

The problem is the other end of the tunnel is not in our control.

The VPN is currently setup using (what I call) the standard VPN setup, therefore I am reluctant, even unsure, as to whether the tunnel interfaces would help us, as we have no shared IP ranges to use as the tunnnel interface IP address.

Also, restricting the traffic on the phase 2 ACL doesnt seem to work. Do you, or anyone else have any other ideas?

Thanks and regards


bastien.migette Tue, 10/20/2009 - 08:27
User Badges:

Hi, I think you can still use a tunnel interface even if the other end use a crypto map, but that should be tested before.

Other solutions I see would be to put an ACL on the insides interfaces, as once the traffic is tunneled, you won't be able to filter it on the outside if, but you can still modify the crypto acl to cipher only one part of the traffic, and drop it with an outside ACL.

Another solution would be to use PBR to null0 interface for traffic that shouldnt leave by the tunnel.


This Discussion