Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
3
Replies

ACL/Site-to-Site VPN

ahensel
Level 1
Level 1

‎06-07-2006 05:36 AM - edited ‎02-21-2020 02:27 PM

Configuring site-to-site VPN on 2821. Remote endpoint is 7206. On 2821, have 2 active interfaces, serial facing the ISP and Ethernet facing LAN. Tunnel endpoint on 2821 is terminating on LAN facing Ethernet interface. Question is this, do I need to create inbound ACL's on 2821 serial interface permiting those networks transiting the tunnel into the 2821 or can I just permit the remote endpoint's IP address? Thanks in advance.

Labels:
0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎06-09-2006 10:52 AM

Hi,

What you need is to define ACL (for interesting traffic) that will trigger the VPN tunnel.

Specify your LAN IP/subnet/network in the ACL and permit it to access/reach remote LAN/network on the peer VPN router.

Other than that, you only need to ensure your router, via its serial interface, is able to reach remote router serial. Check the routing as well.

Unless if you have ACL on you serial, than you need to add remote router's serial to come in.

Rgds,

AK

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to a.kiprawih

‎06-11-2006 01:26 PM

AK

You have given a good explanation about the function of ACL in controlling IPSec VPN and identifying traffic to be protected by the VPN. But as I read the original post I am not sure that is what was being asked about. I believe that the original question wants to know that if an access list is being configured inbound on the serial interface what does it need to permit for the VPN to work. In particular I think it wants to know whether the source and destination networks (LANs) need to be permitted or just the peer address. If that is the correct understanding then the answer is just the IPSec peer addresses need to be specified in the inbound ACL.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents