Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL question

I have a router with an interface facing the internet. I want to use this router to setup LAN-to-LAN IPsec VPN's. I want to implement an ACL on that interface to protect my router and network. I want to allow only VPN traffic. What the access list should look like (assuming I'm using the ip address 1.1.1.1/28 on my router interface)

Thanks in advance..

1 REPLY
New Member

Re: ACL question

Hi Ahmed,

When filtering at the edge, there is no too much to see:

IKE protocol --> idp 500

IPSec protocols:

ESP protocol --> ip protocol 50

AH protocol ---> ip protocol 51

For NAT transparency:

udp 4500 or tcp (port number has to be configured)

So the acces-list looks like:

!!!

Router(config)#access-list 100 permit esp 1.1.1.1 0.0.0.15

Router(config)#access-list 100 permit ahp 1.1.1.1 0.0.0.15

Router(config)#access-list 100 permit udp 1.1.1.1 0.0.0.15 eq 500

Router(config)#access-list 100 permit udp 1.1.1.1 0.0.0.15 eq 4500

!!!And assign it to the interface to which the crypto map is bound

Router(config-if)#ip access-group 100 in

!!!

You can set also a symmetric acl at the IPSec peer in other side.

I hope this will help.

Have a good work!

AJN

95
Views
0
Helpful
1
Replies
CreatePlease to create content