Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

stupid question: access list to restrict IPSEC VPN traffic?

I've got a site-to-site IPSEC VPN tunnel working just fine between a couple of routers.

Aside from the "interesting traffic" access-list, is there any way for a 2nd access list to be applied to traffic *AFTER* it goes through the tunnel?

Or is the only proper way to restrict tunnel traffic via the "interesting access-list"?

(I only have control of one side of the tunnel, so obviously I can modify MY "interesting traffic" access list, but that only applies to outgoing traffic... I'd like to further restrict traffic incoming to my router on the tunnel without going through the bureaucracy of getting changes on the remote site's router)

3 REPLIES
Silver

Re: stupid question: access list to restrict IPSEC VPN traffic?

The access-list you already have is the Crypto ACL that is the interesting traffic that kicks off the tunnel. Once the traffic is in your router you can create an additional ACL and apply it to your LAN interface on the OUTbound side to restrict the specific traffic you do not or do want....

Community Member

Re: stupid question: access list to restrict IPSEC VPN traffic?

Thanks... I'm so used to apply access lists coming IN on the WAN interface, I didn't even think of applying an OUT access-list on the LAN side

Re: stupid question: access list to restrict IPSEC VPN traffic?

Hi Thomas

Best practice for achieving what you want is applying filter ACL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#conf

This will prevent desired destined packets to be blocked before utilizing applience resources (CPU)and store-forward switching to outbound buffer unlike an outbound ACL since packet.

Also applying outbound ACL will have an impact which will be noticable according to your throughput since applience is going to match all outbound destined packets for specific ACL while vpn-filter value will only process on tunnel traffic

Regards

156
Views
5
Helpful
3
Replies
CreatePlease to create content