Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
5
Replies

Securing Site to Site VPN

AxiomConsulting
Level 1
Level 1

‎10-20-2009 06:54 AM

Hi All,

We are terminating a VPN on an 1800 series router. The networks that are negotiated during the phase 2 part of the setup are shown below, using the ACL...

ip access-list extended VPN_ACL

permit ip 192.168.200.0 0.0.0.255 192.168.40.0 0.0.0.255

This then allows all IP traffic between the 2 networks. My question is this....

What would be the best way to restrict the traffic, use an ACL outbound on the internal interface??? or any other recommendations would be great....

Thanks in advance

Steve

Labels:
0 Helpful
5 Replies 5

bastien.migette
Level 1
Level 1

‎10-20-2009 07:16 AM

Hi,

If you use a tunnel interface, then you can put an ACL directly on it. If you don't, then think about it, but if you allow only the traffic that should be authorized in your tunnel on your crypto ACL, then I think traffic not matching will be dropped, or at least it won't be encapsulated then your ISP will drop it.

0 Helpful

AxiomConsulting
Level 1
Level 1
In response to bastien.migette

‎10-20-2009 07:20 AM

Thanks so much for your reply. How would I use the tunnel interface? I dont suppose you have any good documentation you could point me to.

Cheers again

Steve

0 Helpful

bastien.migette
Level 1
Level 1
In response to AxiomConsulting

‎10-20-2009 07:38 AM

Here is an exemple using virtual tunnel interface, it's very simple

http://www.ciscoblog.com/archives/2006/08/vpn_virtual_tun.html

create a tunnel interface with source/dest pub address, private address, then assign an IPSEC profile for protection (which contains a transform set).

0 Helpful

AxiomConsulting
Level 1
Level 1
In response to bastien.migette

‎10-20-2009 08:22 AM

The problem is the other end of the tunnel is not in our control.

The VPN is currently setup using (what I call) the standard VPN setup, therefore I am reluctant, even unsure, as to whether the tunnel interfaces would help us, as we have no shared IP ranges to use as the tunnnel interface IP address.

Also, restricting the traffic on the phase 2 ACL doesnt seem to work. Do you, or anyone else have any other ideas?

Thanks and regards

Steve

0 Helpful

bastien.migette
Level 1
Level 1
In response to AxiomConsulting

‎10-20-2009 08:27 AM

Hi, I think you can still use a tunnel interface even if the other end use a crypto map, but that should be tested before.

Other solutions I see would be to put an ACL on the insides interfaces, as once the traffic is tunneled, you won't be able to filter it on the outside if, but you can still modify the crypto acl to cipher only one part of the traffic, and drop it with an outside ACL.

Another solution would be to use PBR to null0 interface for traffic that shouldnt leave by the tunnel.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents