Re: Is this a valid IPSEC access-list?

jrogalski · ‎12-12-2001

Hello,

does anyone know if this IPSEC access list will cause trouble? Each numbered list is set to a different peer.

100 permit ip 10.11.129.0 0.0.0.255 10.11.131.0 0.0.0.255

102 permit ip 10.11.129.0 0.0.0.255 10.11.133.0 0.0.0.255

104 permit ip 10.11.129.0 0.0.0.255 10.11.135.0 0.0.0.255

170 deny ip 10.11.129.0 0.0.0.255 10.11.131.0 0.0.0.255

170 deny ip 10.11.129.0 0.0.0.255 10.11.133.0 0.0.0.255

170 deny ip 10.11.129.0 0.0.0.255 10.11.135.0 0.0.0.255

170 permit ip 10.11.129.0 0.0.0.255 any

Thanks,

John.

gbbromley · ‎12-12-2001

Making sure you have defined the crypto map and transforms sets correctly then the above would work.

ACL 170 could be rewritten as just:

permit ip 10.11.129.0 0.0.0.255 any

One not, the above would start the VPN link up for ANY traffic from 10.11.129.0 passing through the router. Maybe not quite what you intended?

jrogalski · ‎12-12-2001

Thanks for the response. Just to verify, this is what I would have for the transform-set and crypto map:

crypto ipsec transform-set transform1 ah-md5-hmac esp-des

crypto map ipsec-map 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set security-association lifetime seconds 86400

set transform-set transform1

match address 100

The other crypto maps would be similar except the number, peer, and access-list. The crypto map is then applied to the serial interface.

I am already pushing all traffic through the tunnels. There is an AT&T frame router on the same network as the peer for list 170. Currently, I need to have each network on the AT&T side in the access list. I was thinking that if I put the access-list for this peer at the bottom (170) instead of where I have it now (100 with each AT&T network explicity listed) I could still keep a meshed topology and use the "any" keyword to avoid updating the lists each time a new network is added to the AT&T side.

Thanks again for your help!