×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACL/Site-to-Site VPN

Unanswered Question
Jun 7th, 2006
User Badges:

Configuring site-to-site VPN on 2821. Remote endpoint is 7206. On 2821, have 2 active interfaces, serial facing the ISP and Ethernet facing LAN. Tunnel endpoint on 2821 is terminating on LAN facing Ethernet interface. Question is this, do I need to create inbound ACL's on 2821 serial interface permiting those networks transiting the tunnel into the 2821 or can I just permit the remote endpoint's IP address? Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.kiprawih Fri, 06/09/2006 - 10:52
User Badges:
  • Gold, 750 points or more

Hi,


What you need is to define ACL (for interesting traffic) that will trigger the VPN tunnel.


Specify your LAN IP/subnet/network in the ACL and permit it to access/reach remote LAN/network on the peer VPN router.


Other than that, you only need to ensure your router, via its serial interface, is able to reach remote router serial. Check the routing as well.


Unless if you have ACL on you serial, than you need to add remote router's serial to come in.


Rgds,

AK


Richard Burts Sun, 06/11/2006 - 13:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

AK


You have given a good explanation about the function of ACL in controlling IPSec VPN and identifying traffic to be protected by the VPN. But as I read the original post I am not sure that is what was being asked about. I believe that the original question wants to know that if an access list is being configured inbound on the serial interface what does it need to permit for the VPN to work. In particular I think it wants to know whether the source and destination networks (LANs) need to be permitted or just the peer address. If that is the correct understanding then the answer is just the IPSec peer addresses need to be specified in the inbound ACL.


HTH


Rick

Actions

This Discussion