I am in the process of deploying a new 3745 VPN router for Lan-to-Lan connectivity. As usual with no training at all. My biggest concern is locking down the outside interface so only VPN traffic is allowed and only from the specified addresses.
Can someone supply me with a quick and dirty access list that will only allow only VPN traffic to the inside hosts and also allow vendors to ping the outside interface for testing. Any and all replies are greatly appreciated
I applied the access list provided but found a problem. It seems a Cisco router will send the traffic through the access list twice. Once for the encrypted traffic, then again for the decrypted traffic. I found this because after I applied the access list above, I could no longer ping across the tunnel. I added a "Deny any any log" statement on the access list and saw that the ICMP traffic from the host on the other side was being denied, but with it's real address. I opened a TAC case and they told me told me that this was normal behavior. So I added the decrypted traffic to the access list and all is well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...