How do I restrict traffic on a IPSEC tunnel on a router other than using the access-lists that are used to identify which traffic is encryted
On the interface that the crypto is bound to, how is the access-list that controls normal traffic supposed to behave. I have had to modify this access-list to allow VPN traffic to flow. It appears that once the VPN traffic hits the router it is then passed through the access-list on that interface. I find this a little confusing. If I want to allow IP packets from a trusted IP host through the tunnel I don't see why I need to modify the access-list that protects the router from the internet. If someone was to spoof the trusted address this would allow them access.
Once a packet is switched and comes to the crypto interface, it encrypts the traffic and sends. All other packets which are switched to this interface will go as clear text traffic. This is the normal order of IPSec processing. The crypto access-list simply picks up the interesting packets coming to the crypto interface, applies crypto policy and sends it. Hope its clear.
I did some little research on both interface access-list and crypto access-list.
Just want to share some observations for outbound traffic.
1. All traffic which matches the crypto access-list goes through the crypto interface as encrypted traffic regardless of whether an interface access-list allows it or denies it. That is the interface access-list is bypassed.
2. All traffic which doesn't match the crypto access-list goes through the crypto interface as clear text traffic again regardless of whether the interface access-list allows it or denies it.
3. Without any crypto map applied on the interface, the regular interface access-list takes over for traffic filtering.
Think similar situation will be for inbound traffic also. Let me know if you see the same.
Any VPN traffic passes through the ACL configuration in an interface twice. Once before encryption and once after encryption. So you need to permit the VPN related protocols as well as the VPN interesting traffic in your ACL.
Please correct me if I am wrong but you don't require crypto access-list with Dynamic VPN clients. So the question is for those clients you open your inbound ACL to ESP and UDP 500. I am having a similar issue where my VPN client picks the ip address from IP local pool but then my interface inbound ACL doesn't allow that network. I don't want to open my ACL to allow the network of my local pool because someone could spoof it. Any thoughts ?
DocumentationPrerequisite and code download linksGoalLimitations/RestrictionsTopologyHow OpenDNS worksStep by Step ConfigurationUpgrade the router image to Polaris (16.3) or higher imageUpgrade rommomImport CA certificate to the trust poolGet the t...
DocumentationPrerequisite and code download linksGoalLimitations/RestrictionsTopologyHow OpenDNS worksStep by Step ConfigurationUpgrade the router image to Polaris (16.3) or higher imageUpgrade rommomImport CA certificate to the trust poolGet the token to...
Show Name: ASA/FTD Troubleshooting Enhancements and Cisco Live US 2018
Contributors: Kevin Klous, Jay Johnston, and Magnus Mortensen
Posting Date: June 2018
Description: The team discusses the recently released troubleshooting...