05-15-2014 07:41 AM - edited 03-07-2019 07:26 PM
Hello guys,
I have set up a IPSec Tunnel between 2 Routers....both WANs are in different segments. So far this is OK, but I want to block any outgoing traffic that is NOT included in the ACL for the IPSec tunnel....for this I set up a ACL on the WAN interface of Router 1 (type: out)...but when I tried to ping to R2 from R1 LAN (not encrypted domain host) I can still reach R2 or even SSH it.
Any suggestion?-.....I know the problem is on the ACL ...but I dont know how to correct it.
Please help.
05-15-2014 07:51 AM
HI,
It would be helpful to see the relevant config bits from both ends.
05-15-2014 08:04 AM
Sure...sorry. ...I will put the relevant info of R1...R2 is the same but flip-flops the IP addressing.
Im pinging from R1 LAN which is not included on the tunnel....192.168.2.0
-----------------
R1:
object-group network NET-SITE1
192.168.1.0 255.255.255.0
object-group network NET-SITE2
10.10.10.0 255.255.255.0
ip access-list extended IPSEC-TRAFFIC
permit ip object-group NET-SITE1 object-group NET-SITE2
ip access-list extended UNWANTED-TRAFFIC
deny ip any any log
deny icmp any any log
inter gi0/1
...
ip access-group UNWANTED-TRAFFIC out
...
05-15-2014 08:08 AM
It would be good to see the tunnel config too. Are you sure that the traffic from 192.168.2.0 is not being tunnelled too?
05-15-2014 09:18 AM
yes Im sure....because is not in the ACL that allows the IPSEC-TRAFFIC....and also the tunnel is UP so I dont know what more info of the tunnel can be useful...rather than I use the " match address IPSEC-TRAFFIC"
05-15-2014 08:17 AM
Another question - these are two routers right? (as opposed to ASAs).
Is there a reason you are using object groups?
"Object group-based ACLs are not supported with IPsec." from http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/15_1/sec_data_plane_15_1_book/sec_object_group_acl.html#wp1132617
05-15-2014 09:02 AM
yes...we use them because we are continuosly adding more segments in both sites..for example...
object-group network NET-SITE1
192.168.1.0 255.255.255.0
192.168.15.0 255.255.255.0
192.168.34.0 255.255.255.0
192.168.110.0 255.255.255.0
object-group network NET-SITE2
10.10.10.0 255.255.255.0
10.10.44.0 255.255.255.0
10.10.120.0 255.255.255.0
10.10.1125.0 255.255.255.0
and also we have segments that we want to block...like 192.168.2.0/24
05-15-2014 09:02 AM
if group-based ACL on IPSec are not suppoorted....can you please suggest me a better way to do the above configuration?...thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: