12-07-2005 09:05 AM - edited 02-21-2020 02:08 PM
I have a Cisco 831 with router to router VPN's configured. I have an access list and firewall applied to the ethernet 0 interface. I need traffic from the remote VPN sites to be able to initiate a connection to nodes on the LAN side (ethernet 0) of this router. Do I need to add a permit to the access list applied to the ethernet 0 interface to allow the traffic from the LAN IP's of the remote networks or is VPN traffic automatically allowed based on the access list applied to the crypto map?
Second, if I need to add the permit to the ethernet 0 access list, will this work:
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
or do I have to specify all 3 octets of the destination networks individually?
i.e.
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.58.0 0.0.0.255
12-07-2005 12:14 PM
Your first access list will not work.
You need to specific about your access lists on the remote end and head end.
I would assume that your head end segment is 192.168.100.0/24 and your remote sites are 192.168.58.0/24 and 192.168.60.0/24.
Remote site 1
access-list 101 permit 192.168.58.0 0.0.0.255 192.168.100.0 0.0.0.255
Remote site 2
access-list 101 permit 192.168.60.0 0.0.0.255 192.168.100.0 0.0.0.255
Head end
access-list 101 permit 192.168.100.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 permit 192.168.100.0 0.0.0.255 192.168.60.0 0.0.0.255
Hope it helps
12-07-2005 01:42 PM
OK, thanks. I was afraid of that but wasn't sure. Do I need to add rules to the access list on the ethernet 0 interface to let the traffic from the VPN remote sites pass or does the "match address" access list associated with the crypto maps take care of it?
Thanks again.
12-07-2005 03:41 PM
below is a sample config:
access-list outbound_e0 permit ip
access-list inbound_e1 permit udp host
access-list inbound_e1 permit esp hsot
access-list inbound_e1 permit ip
access-list no_nat permit ip
access-list l2lvpn permit ip
12-08-2005 06:31 AM
The access list I have applied to ethernet 0 is to control traffic flowing from the router to the LAN. So shouldn't this:
access-list outbound_e0 permit ip
actually be
access-list outbound_e0 permit ip
?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide