Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

access lists and VPN

I have a Cisco 831 with router to router VPN's configured. I have an access list and firewall applied to the ethernet 0 interface. I need traffic from the remote VPN sites to be able to initiate a connection to nodes on the LAN side (ethernet 0) of this router. Do I need to add a permit to the access list applied to the ethernet 0 interface to allow the traffic from the LAN IP's of the remote networks or is VPN traffic automatically allowed based on the access list applied to the crypto map?

Second, if I need to add the permit to the ethernet 0 access list, will this work:

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255

or do I have to specify all 3 octets of the destination networks individually?

i.e.

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.58.0 0.0.0.255

4 REPLIES
Community Member

Re: access lists and VPN

Your first access list will not work.

You need to specific about your access lists on the remote end and head end.

I would assume that your head end segment is 192.168.100.0/24 and your remote sites are 192.168.58.0/24 and 192.168.60.0/24.

Remote site 1

access-list 101 permit 192.168.58.0 0.0.0.255 192.168.100.0 0.0.0.255

Remote site 2

access-list 101 permit 192.168.60.0 0.0.0.255 192.168.100.0 0.0.0.255

Head end

access-list 101 permit 192.168.100.0 0.0.0.255 192.168.58.0 0.0.0.255

access-list 101 permit 192.168.100.0 0.0.0.255 192.168.60.0 0.0.0.255

Hope it helps

Community Member

Re: access lists and VPN

OK, thanks. I was afraid of that but wasn't sure. Do I need to add rules to the access list on the ethernet 0 interface to let the traffic from the VPN remote sites pass or does the "match address" access list associated with the crypto maps take care of it?

Thanks again.

Gold

Re: access lists and VPN

below is a sample config:

access-list outbound_e0 permit ip

access-list inbound_e1 permit udp host host eq 500

access-list inbound_e1 permit esp hsot host

access-list inbound_e1 permit ip

access-list no_nat permit ip

access-list l2lvpn permit ip

Community Member

Re: access lists and VPN

The access list I have applied to ethernet 0 is to control traffic flowing from the router to the LAN. So shouldn't this:

access-list outbound_e0 permit ip

actually be

access-list outbound_e0 permit ip

?

95
Views
0
Helpful
4
Replies
CreatePlease to create content