Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot apply access-list to Ipsec Tunnel

I need to apply a filter to deny ftp and http over Ipsec Tunnel.

Can you show me correct configuration because my config doesn't work.

Thanks

access-list acl_out permit icmp any any

access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 110 deny tcp 192.168.2.0 255.255.255.0 192.168.1.0 eq ftp-data

access-list 110 deny tcp 192.168.2.0 255.255.255.0 192.168.1.0 eq ftp

access-list 110 deny tcp 192.168.2.0 255.255.255.0 192.168.1.0 eq www

access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address inside 192.168.2.254 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map toCastel 10 ipsec-isakmp

crypto map toCastel 10 match address 110

crypto map toCastel 10 set peer x.x.x.202

crypto map toCastel 10 set transform-set myset

crypto map toCastel interface outside

isakmp enable outside

isakmp key npsgeo address x.x.x.202 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

1 REPLY
Bronze

Re: Cannot apply access-list to Ipsec Tunnel

Hi,

The way I have set this up in the past and the way I have had the most success is this. I set my nonat and my match address to the same access-list (access-list 100). I would then apply the 110 access list to the inside interface.

It makes things much more simple to allow full IP over the tunnel, but only allow certian ports (ftp, www etc..) to even get to the tunnel from the inside interface.

Hope that helps.

477
Views
0
Helpful
1
Replies