Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access lists to lock down tunnel

hey guys, easy stuff here.

-Router 1800 series


-Public IP

-Remote router 800 series

-Remote Office LAN

-Remote Office Public IP

Currently, there is a L2L tunnel using IPSec between the 2 networks and those inside LANs can communicate with each other without any problems.

The requirement now is to lock this tunnel down to allow only the following:

-Remote Office LAN ( hosts should not access the internet. In fact, there are only 3 host ( .201 and .202) and these 3 hosts should only be allowed access to and to on port tcp 9399, and nothing else.

How will this be accomplished?

Thanks in advanced


Re: Access lists to lock down tunnel

access-list 100 permit tcp host host eq 3999

access-list 100 permit tcp host host eq 3999

and repeat the same ACL entries for other three clients 201 and 202

then apply it on the outside interface in the inbound direction


interface [port]

ip access-group 100 in

if wonder where is the deny

after each ACL there is in the end deny called implicit deny

so evry thing not permited in the above ACL will be denied

if u want to make explicite deny just add the following line after u finish all the entries

access-list 100 deny ip any any

good luck

please, if helpful Rate

New Member

Re: Access lists to lock down tunnel

This is what confuses me. If the traffic is originating from the inside LAN (and this is exactly the traffic we want to deny to anything except to those hosts), why will we apply the access list to the Outside interface?

And to make me confuse even more, why will we tell the outside interace that the access-list is applied in the IN direction?? I thought the traffic coming from the outside world and destined to our Outside Interface will be considered as IN direction.

Re: Access lists to lock down tunnel

ohh sorry mate i thought this traffic is coming to u thorugh VPN


if u want the only the above traffic to go through VPN

make the ACLs i have mentioned above


inthe crypto map config included in the interesting traffic with the command

match address 100

this way only the traffic allwed in the ACL will bring up the VPN tunnel

for internet

the same ACL which is allow only hosts to access the servers on the spesified port

apply it on the remote route inside interface in the inbound direction

in other words

all the above config in the remote site (close to the hosts u want to restrect them)

do the ACL 100 as i mentioned above finish all its entries apply it for vpn interesting traffic and inbound in the inside interface of the remote router

hope this time helpful :) sorry about the misunderstanding

please, if helpful Rate

if u need any more details just post it here

good luck

CreatePlease login to create content