Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACLs required for Site-to-Site VPN

I have few remote sites with different configurations, but to start with, I'd like to use a remote site where there is only one single device on the perimeter and this device does the NAT so all inside hosts can properly connect to the internet using the over-loaded Public IP address of the router's outside interface.

The HeadQuarters has a Cisco Router 2800 Series. The security is tight, so ANY on the ACLs is avoided as much as possible. Plus, the remote site has an Static publi IP.

What are the exact ACL that has to be applied on the outside interfacae of the HQ router in order to allow the remote office to create a Site-to-Site tunnel? Either end of the tunnel can initiate traffic to bring up the tunnel.

I am always confused with 3 ACLs when applying them to the outside interface of a router which will participate in these types of tunnels.

I have

access-list 101 permit esp any host 66.66.66.54

access-list 101 permit udp any host 66.66.66.54 eq isakmp

access-list 101 permit udp any host 66.66.66.54 eq non500-isakmp.

In this scenario, which ACL is really needed on the outside interface of the HQ router?

thanks

1 REPLY

Re: ACLs required for Site-to-Site VPN

If the use of "ANY" is a concern I'd replace it with the specific peer IP's.

These are the statements you must have on your outside interface...

access-list 101 permit esp any host 66.66.66.54

access-list 101 permit udp any host 66.66.66.54 eq isakmp

This statement is only needed if there is a non compliant NAT device in front of either peer...

access-list 101 permit udp any host 66.66.66.54 eq non500-isakmp

136
Views
0
Helpful
1
Replies
CreatePlease to create content