cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
316
Views
5
Helpful
3
Replies

stupid question: access list to restrict IPSEC VPN traffic?

thomasdzubin
Level 1
Level 1

I've got a site-to-site IPSEC VPN tunnel working just fine between a couple of routers.

Aside from the "interesting traffic" access-list, is there any way for a 2nd access list to be applied to traffic *AFTER* it goes through the tunnel?

Or is the only proper way to restrict tunnel traffic via the "interesting access-list"?

(I only have control of one side of the tunnel, so obviously I can modify MY "interesting traffic" access list, but that only applies to outgoing traffic... I'd like to further restrict traffic incoming to my router on the tunnel without going through the bureaucracy of getting changes on the remote site's router)

3 Replies 3

pciaccio
Level 4
Level 4

The access-list you already have is the Crypto ACL that is the interesting traffic that kicks off the tunnel. Once the traffic is in your router you can create an additional ACL and apply it to your LAN interface on the OUTbound side to restrict the specific traffic you do not or do want....

Thanks... I'm so used to apply access lists coming IN on the WAN interface, I didn't even think of applying an OUT access-list on the LAN side

Hi Thomas

Best practice for achieving what you want is applying filter ACL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#conf

This will prevent desired destined packets to be blocked before utilizing applience resources (CPU)and store-forward switching to outbound buffer unlike an outbound ACL since packet.

Also applying outbound ACL will have an impact which will be noticable according to your throughput since applience is going to match all outbound destined packets for specific ACL while vpn-filter value will only process on tunnel traffic

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: