×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access list for VPN connection

Answered Question
Feb 24th, 2014
User Badges:

Guys,


I have two WAN connection, on both I have two IPSEC VPN. For one VPN I would like to apply access list which will limit access from remote LAN to my LAN.

My LAN: 10.0.0.0/23 , remote LAN: 192.168.220.0/24 .

In example I tried to limit access to host 10.0.0.100 with following config:


# ip access-extended 150

(config-ext-nacl)# permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

(config-ext-nacl)# deny ip 192.168.220.0 0.0.0.255 any


I applied above access list  to my LAN interface as incoming rule but this caused no Internet access from my LAN.

Question is if above approach is correct and where such ACL should be applied.


Thanks in advance for any tip.


Piotr

Correct Answer by Jon Marshall about 3 years 5 months ago

Piotr


Can you try this -


ip access-list extend ACL-test-outbound

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101

evaluate test-reflect


ip access-list ACL-test-inbound

permit ip any any reflect test-reflect


int gi0/0

ip access-group ACL-test-inbound in

ip access-group ACL-test-outbound out


and then retest.


Jon

Correct Answer by Jon Marshall about 3 years 5 months ago

Piotr


Ahhh, i understand now, thanks.


The problem you have is acls are not stateful so if you limit traffic from 192.168.200.x to only a few clients then that also means that the acl applies the other way as well.


So if you have an acl that blocks access to only a few of your 10.x.x.x clients from 192.168.220.x  then this acl also blocks the return traffic from any of your 10.x.x.x clients to 192.168.220.x.


However routers support reflexive acls which means you can only allow traffic back in if you have initaited the connection so you could -


1) allow 192.168.200.x to only initiate connections to certain 10.x.x.x clients


whilst at the same time


2) allow all your 10.x.x.x clients to initiate connection to 192.168.200.x clients


see this link for reflexive acls -


http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 02/24/2014 - 03:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Piotr


All acls have an implicit "deny ip any any" at the end so you blocked all traffic from your LAN to the internet with your acl.


You need to remove that acl and -


1) if you are using crypto map acls then simply have an acl that only allows the traffic you want. If there is no entry in the acl then the traffic will not be encrypted


2) if you are using VTI apply your acl to the VTI in an outbound direction


Jon

Piotr Pawlowski Mon, 02/24/2014 - 03:43
User Badges:

Hi Jon,


I am using crypto-map feature. Right now I have following ACL there:

permit ip 10.0.0.0 0.0.1.255 192.168.220.0 0.0.0.255

Do I understand you correctly, that I should replace it with:

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

in order go give bidirectional access to VPN from whole 192.168.220.0 network to host 10.0.0.100 ?


Piotr

Jon Marshall Mon, 02/24/2014 - 03:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Piotr


What do you actually want to do ie. is it just that host that needs connection ?


Your first acl is the correct way in terms of source and destination IPs from your end, not the second one.


If you are using a crypto map acl on the traffic that is matched by the acl will be allowed through the tunnel.


Note also that if you are changing the acl you will need to modify it at the other end as well  ie. the crypto acls must match in terms of source and destination IP, they are simply reversed ie. your source becomes their destination etc.


An altenative is to allow traffic through the tunnel and then apply an acl outbound to the LAN but you need to be careful you don't cut off internet again.


It's not clear what you are trying to achieve ie. which traffic you want to be encrypted.

Piotr Pawlowski Mon, 02/24/2014 - 07:57
User Badges:

Jon,


I created following extended ACL:


    10 permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

    11 permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101

    12 permit ip 10.0.0.0 0.0.1.255 192.168.220.0 0.0.0.255

    20 deny ip 192.168.220.0 0.0.0.255 any

    30 permit ip any any


All hosts from 192.168.220.0/24 network can reach hosts 0.100 and 0.101 . I was quite sure, that rule No. 12 will cause, that every hosts in 10.0.0.0/23 will be able to access every host in 192.168.220.0 . Unfortunatel, with above config, only hosts 0.100 and 0.101 can reach 192.168.220.0/24 network.


Is it possible to achive such configuration or should I live with this?


Piotr

Jon Marshall Mon, 02/24/2014 - 10:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Piotr


Can you specify exactly what you are trying to do in terms of access ie. what IPs do you want to allow to the remote network 192.168.220.0.24


Is there a reason you do not want to modify the crypto map acl ?


Is it beacause it would have to be changed at the other end as well.


I am trying to help but you are not making it clear what access you actually want between these IPs ?


Jon

Piotr Pawlowski Mon, 02/24/2014 - 10:56
User Badges:

Jon,

jon.marshall wrote:


Is there a reason you do not want to modify the crypto map acl ?

Is it beacause it would have to be changed at the other end as well.

I do not have cotrol over router in network 192.168.220.0/24 so I cannot use crypto map acl aproach (as far as I understood you in previous posts). 192.168.220.0/24 network is my clinet network.


jon.marshall wrote:


Can you specify exactly what you are trying to do in terms of access ie. what IPs do you want to allow to the remote network 192.168.220.0.24


I would like to limit access from 192.168.220.0/24 network to only several hosts in my LAN. In same time, because I do not care about the security in 192.168.220.0/24 network, I would like to give possibility for all hosts in my network (10.0.0.0/23) to access network 'after' the VPN (192.168.220.0/24).

Hope, that it explains everything


Piotr

Correct Answer
Jon Marshall Mon, 02/24/2014 - 11:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Piotr


Ahhh, i understand now, thanks.


The problem you have is acls are not stateful so if you limit traffic from 192.168.200.x to only a few clients then that also means that the acl applies the other way as well.


So if you have an acl that blocks access to only a few of your 10.x.x.x clients from 192.168.220.x  then this acl also blocks the return traffic from any of your 10.x.x.x clients to 192.168.220.x.


However routers support reflexive acls which means you can only allow traffic back in if you have initaited the connection so you could -


1) allow 192.168.200.x to only initiate connections to certain 10.x.x.x clients


whilst at the same time


2) allow all your 10.x.x.x clients to initiate connection to 192.168.200.x clients


see this link for reflexive acls -


http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html


Jon

Piotr Pawlowski Tue, 02/25/2014 - 02:25
User Badges:

Hi Jon,


It's the first time when I hear about reflexive ACL.

After reading documentation and 'how-to's' I created something like this:


ip access-list extended ACL-test-in

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100 reflect test-reflect

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101 reflect test-reflect

ip access-list extended ACL-test-out

evaluate test-reflect

int g0/0 # it's LAN interface on my router

ip access-group ACL-test-in in

ip access-group ACL-test-out out

Unfortunately it seems that I did it wrong, because any host in 192.168.220.0/24 network can reach any host in my 10.0.0.0/23 LAN.

What is more, when I do sh ip access-list ACL-test-in and ACL-test-out I do not see any entries.

I also applied same access-groups in WAN interface on which VPN is configured - without luck.


Any ideas?

Correct Answer
Jon Marshall Wed, 02/26/2014 - 12:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Piotr


Can you try this -


ip access-list extend ACL-test-outbound

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101

evaluate test-reflect


ip access-list ACL-test-inbound

permit ip any any reflect test-reflect


int gi0/0

ip access-group ACL-test-inbound in

ip access-group ACL-test-outbound out


and then retest.


Jon

Piotr Pawlowski Mon, 03/03/2014 - 02:03
User Badges:

Awesome, works like a charm!


One more thing - ist it possible to apply this configuration on external interface rather on LAN one ?

Actions

This Discussion