Cisco Support Community
Community Member

access-list for cisco 1841 ipsec vpn

Hi all. Below is a small portion of my cisco 1841 config.

crypto map mapname 10 ipsec-isakmp

set peer x.x.x.x

set transform-set myset

match address 120

access-list 120 permit ip eq 80

access-list 120 deny ip

Base on the above codes i would like to know if the access-list 120 can be use to restrict access only to port 80 and nothing else on the subnet since it is used in crypto map. Because i thought crypto map is only use to determine which traffic to encrypt and not use to deny/permit traffic.


Re: access-list for cisco 1841 ipsec vpn

The crypto map access-list can indeed be used to restrict access to certain ports or networks. Only the access-list you created will not be accepted by the router and has a line that is unnecessary.

Here's the access-list that should work:

access-list 120 permit tcp eq 80

There is an explicit deny at the bottom of each access-list, so a deny rule is in this case unnecessary. The first ruly won't be accepted because you may not specify a port (eq 80) on a rule that's configured for ip traffic instead of only tcp traffic.

You are right about the fact that a crypto map access-list is not made to determine which traffic is permitted or denied. But if the traffic will not be sent across the tunnel if it doesn't match the crypto access-list! You can interpret that as a deny :) So only traffic that should be able to go over the tunnel should be stated in the crypto map access-list! Object-groups are a great help for creating smaller access-lists!

Please rate if the post is usefull!



Community Member

Re: access-list for cisco 1841 ipsec vpn

Hi Michael,

Thank you very much for your reply. It clear my doubt about using crypto map in my cisco 1841 router. However my ipsec vpn is between cisco1841 and cisco pix515e. In my cisco pix 515e my vendor seems to use the normal accesslist which is applied on the internal interface to restrict outgoing vpn traffic, instead of using crypto map.

Below is the crypto map command use in my pix

access-list outside_cryptomap permit ip

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap

From the above command the accesslist use for crypto map only specify permit. However the restriction of vpn traffic is actually done using the normal accesslist which is applied to my internal interface. Hence my question is if the ciscopix 515e can also use cryptomap accesslist to restrict traffic? Thks in advance.


Re: access-list for cisco 1841 ipsec vpn

You have to make sure that the crypto map access-lists are exactly the same on both sides, else you could get problems establishing the tunnel.

There is actually no difference in using the crypto map access-list or the normal access-list on the inside interface. Neither way will the unwanted traffic be passed over the vpn tunnel! It is only important that you use the same method on both sides.

Hope this information helps, please rate if it does!



CreatePlease to create content