Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL question

I have a router with an interface facing the internet. I want to use this router to setup LAN-to-LAN IPsec VPN's. I want to implement an ACL on that interface to protect my router and network. I want to allow only VPN traffic. What the access list should look like (assuming I'm using the ip address on my router interface)

Thanks in advance..

New Member

Re: ACL question

Hi Ahmed,

When filtering at the edge, there is no too much to see:

IKE protocol --> idp 500

IPSec protocols:

ESP protocol --> ip protocol 50

AH protocol ---> ip protocol 51

For NAT transparency:

udp 4500 or tcp (port number has to be configured)

So the acces-list looks like:


Router(config)#access-list 100 permit esp

Router(config)#access-list 100 permit ahp

Router(config)#access-list 100 permit udp eq 500

Router(config)#access-list 100 permit udp eq 4500

!!!And assign it to the interface to which the crypto map is bound

Router(config-if)#ip access-group 100 in


You can set also a symmetric acl at the IPSec peer in other side.

I hope this will help.

Have a good work!


CreatePlease to create content