Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL/Site-to-Site VPN

Configuring site-to-site VPN on 2821. Remote endpoint is 7206. On 2821, have 2 active interfaces, serial facing the ISP and Ethernet facing LAN. Tunnel endpoint on 2821 is terminating on LAN facing Ethernet interface. Question is this, do I need to create inbound ACL's on 2821 serial interface permiting those networks transiting the tunnel into the 2821 or can I just permit the remote endpoint's IP address? Thanks in advance.


Re: ACL/Site-to-Site VPN


What you need is to define ACL (for interesting traffic) that will trigger the VPN tunnel.

Specify your LAN IP/subnet/network in the ACL and permit it to access/reach remote LAN/network on the peer VPN router.

Other than that, you only need to ensure your router, via its serial interface, is able to reach remote router serial. Check the routing as well.

Unless if you have ACL on you serial, than you need to add remote router's serial to come in.



Hall of Fame Super Gold

Re: ACL/Site-to-Site VPN


You have given a good explanation about the function of ACL in controlling IPSec VPN and identifying traffic to be protected by the VPN. But as I read the original post I am not sure that is what was being asked about. I believe that the original question wants to know that if an access list is being configured inbound on the serial interface what does it need to permit for the VPN to work. In particular I think it wants to know whether the source and destination networks (LANs) need to be permitted or just the peer address. If that is the correct understanding then the answer is just the IPSec peer addresses need to be specified in the inbound ACL.



CreatePlease to create content