I need to lock down the outside interface on an 871 router which is currently having a L2L tunnel with a remote router. I need to apply an ACL to the outside interface of this 871 and to allow ONLY the remote router to communicate with my 871 for the purpose of the tunnel. Everything else will be blocked.
Can you tell me what are the exact protocols and port numbers that I need to allow?
It is an IPsec tunnel embedded on a GRE tunnel. The IP address of the remote router is 220.127.116.11
GRE packets are encapsulated within IP will use IP protocol type 47.
access-list 187 permit gre host 18.104.22.168 host (871 public IP)
Hope that helps.
Will this be the only thing I'd need? I have a customer that has the following access-lists applied to the outside interface:
access-list 120 permit gre host 22.214.171.124 host 10.0.0.30
access-list 120 permit udp host 126.96.36.199 host 10.0.0.30 eq isakmp
access-list 120 permit esp host 188.8.131.52 host 10.0.0.30
access-list 120 permit udp host 184.108.40.206 host 10.0.0.30 eq non500-isakmp
I always see hits on access lists "eq isakmp" and on "eq non-500-isakmp"...
So wouldn't this mean that I will need these access lists as well?
If you had a GRE tunnel and encrypting the packets inside of it, no. Sounds like you're not doing that though and will need isakmp and esp opened up.
I see. Then why is it that I see a lot of hits on the other access lists?
That was also my understanding that on a GRE tunnel, the GRE thing happens first and all traffic is encrypted, thus no need to allow/open anything else except the GRE stuff on the outside access list
You are correct, that's why I'm thinking that maybe the GRE is running inside an IPSec tunnel. Can you post a config?
here's the config. How do you tell which one is happening first?
crypto isakmp policy 1
crypto isakmp key 6 DZY`gTaKIA^EKE[PYKghPS^QaOaDRHWO_AAB address 220.127.116.11 no-xauth
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 20 ipsec-isakmp
set peer 18.104.22.168
set transform-set myset
match address gre_tunnel
ip address 10.10.10.2 255.255.255.0
ip mtu 1400
tunnel source 10.0.0.30
tunnel destination 22.214.171.124
tunnel mode ipip
ip address 10.0.0.30 255.255.255.0
ip access-group 120 in
crypto map mymap
ip address 10.200.10.1 255.255.255.0
router eigrp 1
network 10.10.10.0 0.0.0.255
network 10.200.10.0 0.0.0.255
ip access-list extended gre_tunnel
permit ip host 10.0.0.30 host 126.96.36.199
Where is your GRE ACL?
Should look something like this-
access-list 120 permit gre host 188.8.131.52 host 184.108.40.206
Also, the tunnel source is a private IP and the tunnel destination is a public IP. Shouldn't it be public-to-public? Does a show interface Tunnel1 show traffic passing? I assume that a show crypto isa sa shows a connection?
the tunnel source being a private is no problem. actually that was done by Cisco taz, I guess the public one was not working...
well, based on the config I sent, what is happening first? is gre inside ipsec or vice-versa?
Hey, once again, based on the config I sent, is GRE running inside an IPSec tunnel or is IPSec running inside GRE?