I have two WAN connection, on both I have two IPSEC VPN. For one VPN I would like to apply access list which will limit access from remote LAN to my LAN.
My LAN: 10.0.0.0/23 , remote LAN: 192.168.220.0/24 .
In example I tried to limit access to host 10.0.0.100 with following config:
# ip access-extended 150
(config-ext-nacl)# permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100
(config-ext-nacl)# deny ip 192.168.220.0 0.0.0.255 any
I applied above access list to my LAN interface as incoming rule but this caused no Internet access from my LAN.
Question is if above approach is correct and where such ACL should be applied.
Thanks in advance for any tip.
Can you try this -
ip access-list extend ACL-test-outbound
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101
ip access-list ACL-test-inbound
permit ip any any reflect test-reflect
ip access-group ACL-test-inbound in
ip access-group ACL-test-outbound out
and then retest.
Ahhh, i understand now, thanks.
The problem you have is acls are not stateful so if you limit traffic from 192.168.200.x to only a few clients then that also means that the acl applies the other way as well.
So if you have an acl that blocks access to only a few of your 10.x.x.x clients from 192.168.220.x then this acl also blocks the return traffic from any of your 10.x.x.x clients to 192.168.220.x.
However routers support reflexive acls which means you can only allow traffic back in if you have initaited the connection so you could -
1) allow 192.168.200.x to only initiate connections to certain 10.x.x.x clients
whilst at the same time
2) allow all your 10.x.x.x clients to initiate connection to 192.168.200.x clients
see this link for reflexive acls -