Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
0
Helpful
4
Replies

Access-list question for Cisco 1710 performing 3DES VPN tunnel

Go to solution
JUSTIN LOUCKS
Level 1
Level 1

‎05-14-2003 05:00 AM - edited ‎02-21-2020 12:32 PM

I have a question about the use of access-lists in the configuration of a Cisco 1710 router that uses access-lists to control traffic across the VPN tunnel.

Take the following lines for example in a configuration on the remote router. My question is whether or not the traffic matching the access-list 130 definition (anything other than 192.168.100.0 /24) would go accross the VPN tunnel or go directly out the Ethernet0 interface.

My understanding is that traffic matching the access-list 120 would be encrypted and sent across the IPSec tunnel. If there were 'deny' statements in any of the access-list 120 statements, the matching traffic for those would be sent accross the IPSec tunnel but not encrytped (if this is possible). And finally, since the crypto map definition only references 'match 120' , any traffic matching access-list 130 would be sent out Ethernet0 but not associated with the crypto map and thereby not sent over the IPSec tunnel.

Any input or assistance would be greatly appreciated.

Crypto map Test 11 ipsec-isakmp

..

match address 120

Interface Ethernet0

..

crypto map Test

ip nat inside source route-map nonat interface Ethernet0 overload

access-list 120 permit ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 130 deny ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 130 permit ip 192.168.100.0 0.0.0.255 any

route-map nonat permit 10

match ip address 130

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jfrahim
Level 5
Level 5
In response to JUSTIN LOUCKS

‎05-14-2003 01:19 PM

It would go through the e0 interface to the Internet in clear text without going over the tunnel

Jazib

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jfrahim
Level 5
Level 5

‎05-14-2003 06:26 AM

ACL 130 is not used for Encryption purposed. It's used to define the interesting traffic for NAT. An inportant point to remember is, router sends a packet to the NAT engine first and then to the encryption engine. So you have to deny NAT for the traffic going over the IPsec tunnel, which is pretty much what you are doing in ACL 130

All ACLs have an implicit deny at the end, that's why we normally don't put a deny statement in the encryption ACL

Hope that explains this

Jazib

0 Helpful

Go to solution
JUSTIN LOUCKS
Level 1
Level 1
In response to jfrahim

‎05-14-2003 06:30 AM

So if the traffic is destined for Yahoo.com (matching access-list 130), would it go through the Ethernet0 interface directly (public IP for DSL circuit) just using NAT or would it ride all the way back over the tunnel and go out the default gateway of the head-end router?

0 Helpful

Go to solution
jfrahim
Level 5
Level 5
In response to JUSTIN LOUCKS

‎05-14-2003 01:19 PM

It would go through the e0 interface to the Internet in clear text without going over the tunnel

Jazib

0 Helpful

Go to solution
JUSTIN LOUCKS
Level 1
Level 1
In response to jfrahim

‎05-14-2003 03:23 PM

I appreciate your answer on this. This was my understanding, but someone told my boss that I was wasting our Internet Ts at corporate because the above mentioned configuration was sending all traffic across the tunnel and out of the head-end gateway. Thanks for the re-assurance...

0 Helpful
Customers Also Viewed These Support Documents