Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

access-list needed for vpn

Hi,

if we have a LAN to LAN vpn between to two cisco firewalls and allowed the service as IP (ipsec tunnel) do we need indivugial access-list in the security policy ? (i had a similar case where i had to put in a entry on the security policy for port 16000 between the two subnets used onthe LAN to LAN firewalls)

i was under the impression the security policy applies only for non vpn and for vpn traffic we need to specify on the ipsec tunnel (under the tab service)

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

access-list needed for vpn

Turn on this command and remove the statement and then try-

config#sysopt connection permit-vpn

Thanks

Ajay

7 REPLIES

access-list needed for vpn

Your question is not very clear to me .However if you mean to say you need extra ACL for VPN then answer is yes - You need to call ACL for crypto as well for nat exempt while configuring Site To Site VPN.

Thanks

Ajay

New Member

access-list needed for vpn

yep apart from the ACL (that is encrypted in the tunnel) do we need any extra acl to allow access to the specific ports. (please note that in the extended acl for the vpn i have allowed ip traffic which means all traffic) but i have had to put in an extra acl apart from the first one and mention the port numbers. not sure why ? (i thought the acl in the security policy tab are needed only for non vpn traffic

access-list needed for vpn

There are two way you can filter traffic which is moving over VPN.

1) Filter at source ofcourse ACLs are required.

  For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where  10.0.0.0/24  is configured .Lets assume port 80 we want to deny.

ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80

                                                                            permit any any

                              acess-group xxxx in inside

So this will deny port 80 and permit rest of the traffic.

2) You can configure VPN filter which is called under group policy .

Thanks

Ajay

New Member

access-list needed for vpn

the norrmal access list that you allow through the tunnel would be

access-list outside_10_cryptomap extended permit ip 10.10.10.0 255.255.255.255.0 20.20.20.0 255.255.255.0

now i have allowed ip between 10.10.10.0 and 20.20.20.0 subnets (either side of the tunnel)

now if i want to allow port 15000, i thought since i am allowing ip it should work but i had to put in accesslist as:

access-list OUTSIDE_IN extended permit tcp host 10.10.10.10 host 20.20.20.20 eq 15000

so i am not sure why the above OUTSIDE_IN statement would be needed as ip is allowed through the tunnel ?

access-list needed for vpn

Turn on this command and remove the statement and then try-

config#sysopt connection permit-vpn

Thanks

Ajay

New Member

access-list needed for vpn

thanks for this but unfortunetly i cant test this as its in production. but what does this command do ?

access-list needed for vpn

It  bypass ACL configured on interface.

412
Views
0
Helpful
7
Replies
CreatePlease to create content