Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access list for VPN router

I am in the process of deploying a new 3745 VPN router for Lan-to-Lan connectivity. As usual with no training at all. My biggest concern is locking down the outside interface so only VPN traffic is allowed and only from the specified addresses.

Can someone supply me with a quick and dirty access list that will only allow only VPN traffic to the inside hosts and also allow vendors to ping the outside interface for testing. Any and all replies are greatly appreciated

3 REPLIES
Bronze

Re: Access list for VPN router

Hi,

it can be sth like:ipsec = ESP

access-list 100 permit icmp any host w.x.y.z echo

access-list 100 permit icmp any host w.x.y.z echo-reply

access-list 100 permit esp host host w.x.y.z

access-list 100 permit udp host host w.x.y.z eq 500

>>>then open up your inside LAN IPs for IPSec decrypted packet allowance

w.x.y.z = 3745 outside IP

Thx

Afaq

New Member

Re: Access list for VPN router

Afag,

1000 Thanks,

Dan

New Member

Re: Access list for VPN router

I applied the access list provided but found a problem. It seems a Cisco router will send the traffic through the access list twice. Once for the encrypted traffic, then again for the decrypted traffic. I found this because after I applied the access list above, I could no longer ping across the tunnel. I added a "Deny any any log" statement on the access list and saw that the ICMP traffic from the host on the other side was being denied, but with it's real address. I opened a TAC case and they told me told me that this was normal behavior. So I added the decrypted traffic to the access list and all is well.

199
Views
5
Helpful
3
Replies