Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL-block all but hosts ip

If I have a vpn site to site tunnel with only one host on each end, how do I block everything except those two hosts talking together and still use the vpn tunnel so that the data is encrypted?

5 REPLIES
Silver

ACL-block all but hosts ip

Hi,

You will define your "interesting" traffic that can bring up the tunnel as an ACL

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

and the inverse at the other side.

New Member

ACL-block all but hosts ip

Do I have to explicitly deny every port that is not used or can't be used such as 23, 80 (it doesnt connect to the internet but connects on a leased line) and all other well known ports?

Silver

ACL-block all but hosts ip

The ACL defines what is encrypted  - so when your traffic hits the crypto map it checks the source and destination and compares it to the ACL. If it matches then it encrypts it and sends it down the tunnel. If you don't specify any specific ports in the ACL (as we haven't above) then any IP packets between those two hosts will be encrypted.

New Member

ACL-block all but hosts ip

Ok, but if I use an ACL not in the crypto map just to block ports from being used at all, is there a way to do that without naming every port that must be blocked?  For example, I have an access list like the one above used for the tunnel, but then I have another one that I blocked telnet on. In that list is there a way to block all ports not used or do I need to have a command for each port I want blocked(such as POP3, HTTP, FTP, etc). Thanks for your help.

Silver

ACL-block all but hosts ip

There are two ways of looking at this - just allow specific traffic i.e:

access-list 101 permit tcp host 1.1.1.1 host 2.2.2.2 eq telnet

Everything else is blocked because of the implicit deny at the end of the ACL.

OR:

Block specific traffic and allow everything else:

access-list 101 deny tcp host 1.1.1.1 host 2.2.2.2 eq telnet

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

106
Views
0
Helpful
5
Replies
CreatePlease to create content