Cisco Support Community
Community Member

ACLs on the IPSec tunnel termination

Hello all,

Can't anybody help me with this problem? I want to connect two LANs with private addresses (10.8.6.x and 10.8.15.x) via public ip network (such a mini-VPN).

So I try to make an ipsec-tunnel:

LAN1 (10.8.6.x )

Router1 --- s0/0(x.y.z.u)


ipsec through WAN (public)


Router2 --- s0/0(a.b.c.d)

LAN2 (10.8.15.x)

I don't use any NAT on tunnel termination interfaces because ipsec should hide my 10.x from any indelicate glances (I hope).

So, this is a question: what ACLs should I use on the input of ipsec interfaces? I thought the following would be right ones (for x.y.z.u end):

permit icmp any host x.y.z.u

permit ip host a.b.c.d host x.y.z.u

I.e., my end of tunnel accepts only the packets that come from another side. Then it extracts the internal packet and forwards it without applying any ACLs to it. And all the other traffic (probably coming from the enemies roving around my tunnel) is being dropped. At least I beleived it would work this way.

But unfortunately ipsec session even cannot be established with these ACLs (at least pings cannot go through). It starts to work only with those ACLs:

permit icmp any host x.y.z.u

permit ip host a.b.c.d any

permit ip any

Any attempt to make them more strict causes the tunnel to go down. And I cannot monitor where exactly ipsec traffic wants to get to (using ACL entries with log option), because the router is too slow for this and the tunnel gets half-dead. But those few packets I can catch are apparently payload traffic between LANs, which, as I beleived, is not subject for filtering.

So, the questions:

1) Why should I add the ACLs entries which does not seem to be necessary?

2) Is not it dangerous (I mean the possibility of intrusion from outside of the tunnel)?

3) What those ACLs are applied to: to carrier (external) packets, to payload (internal) packets or both?

4) How those ACL should actually look, according to science?

Community Member

Re: ACLs on the IPSec tunnel termination

This conversation might be helpful to you:

There are a few links in that thread that you should read.

CreatePlease to create content