Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
4
Replies

access lists and VPN

wsclowers
Level 1
Level 1

‎12-07-2005 09:05 AM - edited ‎02-21-2020 02:08 PM

I have a Cisco 831 with router to router VPN's configured. I have an access list and firewall applied to the ethernet 0 interface. I need traffic from the remote VPN sites to be able to initiate a connection to nodes on the LAN side (ethernet 0) of this router. Do I need to add a permit to the access list applied to the ethernet 0 interface to allow the traffic from the LAN IP's of the remote networks or is VPN traffic automatically allowed based on the access list applied to the crypto map?

Second, if I need to add the permit to the ethernet 0 access list, will this work:

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255

or do I have to specify all 3 octets of the destination networks individually?

i.e.

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.60.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.58.0 0.0.0.255

Labels:
0 Helpful
4 Replies 4

mike.botha
Level 1
Level 1

‎12-07-2005 12:14 PM

Your first access list will not work.

You need to specific about your access lists on the remote end and head end.

I would assume that your head end segment is 192.168.100.0/24 and your remote sites are 192.168.58.0/24 and 192.168.60.0/24.

Remote site 1

access-list 101 permit 192.168.58.0 0.0.0.255 192.168.100.0 0.0.0.255

Remote site 2

access-list 101 permit 192.168.60.0 0.0.0.255 192.168.100.0 0.0.0.255

Head end

access-list 101 permit 192.168.100.0 0.0.0.255 192.168.58.0 0.0.0.255

access-list 101 permit 192.168.100.0 0.0.0.255 192.168.60.0 0.0.0.255

Hope it helps

0 Helpful

wsclowers
Level 1
Level 1
In response to mike.botha

‎12-07-2005 01:42 PM

OK, thanks. I was afraid of that but wasn't sure. Do I need to add rules to the access list on the ethernet 0 interface to let the traffic from the VPN remote sites pass or does the "match address" access list associated with the crypto maps take care of it?

Thanks again.

0 Helpful

jackko
Level 7
Level 7
In response to wsclowers

‎12-07-2005 03:41 PM

below is a sample config:

access-list outbound_e0 permit ip

access-list inbound_e1 permit udp host host eq 500

access-list inbound_e1 permit esp hsot host

access-list inbound_e1 permit ip

access-list no_nat permit ip

access-list l2lvpn permit ip

0 Helpful

wsclowers
Level 1
Level 1
In response to jackko

‎12-08-2005 06:31 AM

The access list I have applied to ethernet 0 is to control traffic flowing from the router to the LAN. So shouldn't this:

access-list outbound_e0 permit ip

actually be

access-list outbound_e0 permit ip

?

0 Helpful
Customers Also Viewed These Support Documents