Hi all. Below is a small portion of my cisco 1841 config.
crypto map mapname 10 ipsec-isakmp
set peer x.x.x.x
set transform-set myset
match address 120
access-list 120 permit ip 192.168.9.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 80
access-list 120 deny ip 192.168.9.0 0.0.0.255 172.16.1.0 0.0.0.255
Base on the above codes i would like to know if the access-list 120 can be use to restrict access only to port 80 and nothing else on the subnet 172.16.1.0 since it is used in crypto map. Because i thought crypto map is only use to determine which traffic to encrypt and not use to deny/permit traffic.
There is an explicit deny at the bottom of each access-list, so a deny rule is in this case unnecessary. The first ruly won't be accepted because you may not specify a port (eq 80) on a rule that's configured for ip traffic instead of only tcp traffic.
You are right about the fact that a crypto map access-list is not made to determine which traffic is permitted or denied. But if the traffic will not be sent across the tunnel if it doesn't match the crypto access-list! You can interpret that as a deny :) So only traffic that should be able to go over the tunnel should be stated in the crypto map access-list! Object-groups are a great help for creating smaller access-lists!
Thank you very much for your reply. It clear my doubt about using crypto map in my cisco 1841 router. However my ipsec vpn is between cisco1841 and cisco pix515e. In my cisco pix 515e my vendor seems to use the normal accesslist which is applied on the internal interface to restrict outgoing vpn traffic, instead of using crypto map.
Below is the crypto map command use in my pix
access-list outside_cryptomap permit ip 172.16.1.0 255.255.255.0 192.168.9.0 255.255.255.0
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap
From the above command the accesslist use for crypto map only specify permit. However the restriction of vpn traffic is actually done using the normal accesslist which is applied to my internal interface. Hence my question is if the ciscopix 515e can also use cryptomap accesslist to restrict traffic? Thks in advance.
You have to make sure that the crypto map access-lists are exactly the same on both sides, else you could get problems establishing the tunnel.
There is actually no difference in using the crypto map access-list or the normal access-list on the inside interface. Neither way will the unwanted traffic be passed over the vpn tunnel! It is only important that you use the same method on both sides.
Hope this information helps, please rate if it does!
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.