Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Outbound ACL problem

Hello guys,

I have set up a IPSec Tunnel between 2 Routers....both WANs are in different segments. So far this is OK, but I want to block any outgoing traffic that is NOT included in the ACL for the IPSec tunnel....for this I set up a ACL on the WAN interface of Router 1 (type: out)...but when I tried to ping to R2 from R1 LAN (not encrypted domain host) I can still reach R2 or even SSH it.

 

Any suggestion?-.....I know the problem is on the ACL ...but I dont know how to correct it.

Please help.

  • LAN Switching and Routing
7 REPLIES
Silver

HI,It would be helpful to see

HI,

It would be helpful to see the relevant config bits from both ends.

New Member

Sure...sorry. ...I will put

Sure...sorry. ...I will put the relevant info of R1...R2 is the same but flip-flops the IP addressing.

Im pinging from R1 LAN which is not included on the tunnel....192.168.2.0

-----------------

R1:

object-group network NET-SITE1

192.168.1.0 255.255.255.0

 

object-group network NET-SITE2

10.10.10.0 255.255.255.0

 

ip access-list extended IPSEC-TRAFFIC

permit ip object-group NET-SITE1 object-group NET-SITE2

 

ip access-list extended UNWANTED-TRAFFIC

deny ip any any log

deny icmp any any log

 

inter gi0/1

...

ip access-group UNWANTED-TRAFFIC out

...

 

 

 

Silver

It would be good to see the

It would be good to see the tunnel config too. Are you sure that the traffic from 192.168.2.0 is not being tunnelled too?

New Member

yes Im sure....because is not

yes Im sure....because is not in the ACL that allows the IPSEC-TRAFFIC....and also the tunnel is UP so I dont know what more info of the tunnel can be useful...rather than I use the " match address IPSEC-TRAFFIC"

Silver

Another question - these are

Another question - these are two routers right? (as opposed to ASAs).

Is there a reason you are using object groups?

"Object group-based ACLs are not supported with IPsec." from http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/15_1/sec_data_plane_15_1_book/sec_object_group_acl.html#wp1132617

New Member

yes...we use them because we

yes...we use them because we are continuosly adding more segments in both sites..for example...

 

object-group network NET-SITE1

192.168.1.0 255.255.255.0

192.168.15.0 255.255.255.0

192.168.34.0 255.255.255.0

192.168.110.0 255.255.255.0

 

object-group network NET-SITE2

10.10.10.0 255.255.255.0

10.10.44.0 255.255.255.0

10.10.120.0 255.255.255.0

10.10.1125.0 255.255.255.0

 

 

and also we have segments that we want to block...like 192.168.2.0/24

New Member

if  group-based ACL on IPSec

if  group-based ACL on IPSec are not suppoorted....can you please suggest me a better way to do the above configuration?...thanks
 

32
Views
0
Helpful
7
Replies