Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access List needed only to allow Site-to-Site tunnel

Hi guys,

I need to lock down the outside interface on an 871 router which is currently having a L2L tunnel with a remote router. I need to apply an ACL to the outside interface of this 871 and to allow ONLY the remote router to communicate with my 871 for the purpose of the tunnel. Everything else will be blocked.

Can you tell me what are the exact protocols and port numbers that I need to allow?

It is an IPsec tunnel embedded on a GRE tunnel. The IP address of the remote router is 60.60.60.25

thanks

10 REPLIES

Re: Access List needed only to allow Site-to-Site tunnel

GRE packets are encapsulated within IP will use IP protocol type 47.

access-list 187 permit gre host 60.60.60.25 host (871 public IP)

Hope that helps.

New Member

Re: Access List needed only to allow Site-to-Site tunnel

Will this be the only thing I'd need? I have a customer that has the following access-lists applied to the outside interface:

access-list 120 permit gre host 68.68.18.3 host 10.0.0.30

access-list 120 permit udp host 68.68.18.3 host 10.0.0.30 eq isakmp

access-list 120 permit esp host 68.68.18.3 host 10.0.0.30

access-list 120 permit udp host 68.68.18.3 host 10.0.0.30 eq non500-isakmp

I always see hits on access lists "eq isakmp" and on "eq non-500-isakmp"...

So wouldn't this mean that I will need these access lists as well?

Re: Access List needed only to allow Site-to-Site tunnel

If you had a GRE tunnel and encrypting the packets inside of it, no. Sounds like you're not doing that though and will need isakmp and esp opened up.

New Member

Re: Access List needed only to allow Site-to-Site tunnel

I see. Then why is it that I see a lot of hits on the other access lists?

That was also my understanding that on a GRE tunnel, the GRE thing happens first and all traffic is encrypted, thus no need to allow/open anything else except the GRE stuff on the outside access list

Re: Access List needed only to allow Site-to-Site tunnel

You are correct, that's why I'm thinking that maybe the GRE is running inside an IPSec tunnel. Can you post a config?

Gold

Re: Access List needed only to allow Site-to-Site tunnel

are you asking for the crypto ACL or the interface ACL?

New Member

Re: Access List needed only to allow Site-to-Site tunnel

here's the config. How do you tell which one is happening first?

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 6 DZY`gTaKIA^EKE[PYKghPS^QaOaDRHWO_AAB address 66.66.66.3 no-xauth

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map mymap 20 ipsec-isakmp

set peer 66.66.66.3

set transform-set myset

match address gre_tunnel

interface Tunnel1

ip address 10.10.10.2 255.255.255.0

ip mtu 1400

tunnel source 10.0.0.30

tunnel destination 66.66.66.3

tunnel mode ipip

interface FastEthernet4

ip address 10.0.0.30 255.255.255.0

ip access-group 120 in

ip virtual-reassembly

duplex auto

speed auto

crypto map mymap

interface Vlan2

ip address 10.200.10.1 255.255.255.0

router eigrp 1

passive-interface Vlan2

network 10.10.10.0 0.0.0.255

network 10.200.10.0 0.0.0.255

no auto-summary

ip access-list extended gre_tunnel

permit ip host 10.0.0.30 host 66.66.66.3

Re: Access List needed only to allow Site-to-Site tunnel

Where is your GRE ACL?

Should look something like this-

access-list 120 permit gre host 69.222.73.5 host 69.222.73.6

Also, the tunnel source is a private IP and the tunnel destination is a public IP. Shouldn't it be public-to-public? Does a show interface Tunnel1 show traffic passing? I assume that a show crypto isa sa shows a connection?

New Member

Re: Access List needed only to allow Site-to-Site tunnel

the tunnel source being a private is no problem. actually that was done by Cisco taz, I guess the public one was not working...

well, based on the config I sent, what is happening first? is gre inside ipsec or vice-versa?

New Member

Re: Access List needed only to allow Site-to-Site tunnel

Hey, once again, based on the config I sent, is GRE running inside an IPSec tunnel or is IPSec running inside GRE?

216
Views
0
Helpful
10
Replies