stupid question: access list to restrict IPSEC VPN traffic?
I've got a site-to-site IPSEC VPN tunnel working just fine between a couple of routers.
Aside from the "interesting traffic" access-list, is there any way for a 2nd access list to be applied to traffic *AFTER* it goes through the tunnel?
Or is the only proper way to restrict tunnel traffic via the "interesting access-list"?
(I only have control of one side of the tunnel, so obviously I can modify MY "interesting traffic" access list, but that only applies to outgoing traffic... I'd like to further restrict traffic incoming to my router on the tunnel without going through the bureaucracy of getting changes on the remote site's router)
Re: stupid question: access list to restrict IPSEC VPN traffic?
The access-list you already have is the Crypto ACL that is the interesting traffic that kicks off the tunnel. Once the traffic is in your router you can create an additional ACL and apply it to your LAN interface on the OUTbound side to restrict the specific traffic you do not or do want....
This will prevent desired destined packets to be blocked before utilizing applience resources (CPU)and store-forward switching to outbound buffer unlike an outbound ACL since packet.
Also applying outbound ACL will have an impact which will be noticable according to your throughput since applience is going to match all outbound destined packets for specific ACL while vpn-filter value will only process on tunnel traffic
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...