Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list question for Cisco 1710 performing 3DES VPN tunnel

I have a question about the use of access-lists in the configuration of a Cisco 1710 router that uses access-lists to control traffic across the VPN tunnel.

Take the following lines for example in a configuration on the remote router. My question is whether or not the traffic matching the access-list 130 definition (anything other than 192.168.100.0 /24) would go accross the VPN tunnel or go directly out the Ethernet0 interface.

My understanding is that traffic matching the access-list 120 would be encrypted and sent across the IPSec tunnel. If there were 'deny' statements in any of the access-list 120 statements, the matching traffic for those would be sent accross the IPSec tunnel but not encrytped (if this is possible). And finally, since the crypto map definition only references 'match 120' , any traffic matching access-list 130 would be sent out Ethernet0 but not associated with the crypto map and thereby not sent over the IPSec tunnel.

Any input or assistance would be greatly appreciated.

Crypto map Test 11 ipsec-isakmp

..

match address 120

Interface Ethernet0

..

crypto map Test

ip nat inside source route-map nonat interface Ethernet0 overload

access-list 120 permit ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 130 deny ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 130 permit ip 192.168.100.0 0.0.0.255 any

route-map nonat permit 10

match ip address 130

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Access-list question for Cisco 1710 performing 3DES VPN tunn

It would go through the e0 interface to the Internet in clear text without going over the tunnel

Jazib

4 REPLIES
Bronze

Re: Access-list question for Cisco 1710 performing 3DES VPN tunn

ACL 130 is not used for Encryption purposed. It's used to define the interesting traffic for NAT. An inportant point to remember is, router sends a packet to the NAT engine first and then to the encryption engine. So you have to deny NAT for the traffic going over the IPsec tunnel, which is pretty much what you are doing in ACL 130

All ACLs have an implicit deny at the end, that's why we normally don't put a deny statement in the encryption ACL

Hope that explains this

Jazib

New Member

Re: Access-list question for Cisco 1710 performing 3DES VPN tunn

So if the traffic is destined for Yahoo.com (matching access-list 130), would it go through the Ethernet0 interface directly (public IP for DSL circuit) just using NAT or would it ride all the way back over the tunnel and go out the default gateway of the head-end router?

Bronze

Re: Access-list question for Cisco 1710 performing 3DES VPN tunn

It would go through the e0 interface to the Internet in clear text without going over the tunnel

Jazib

New Member

Re: Access-list question for Cisco 1710 performing 3DES VPN tunn

I appreciate your answer on this. This was my understanding, but someone told my boss that I was wasting our Internet Ts at corporate because the above mentioned configuration was sending all traffic across the tunnel and out of the head-end gateway. Thanks for the re-assurance...

104
Views
0
Helpful
4
Replies
CreatePlease login to create content