Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

crypto map and vti - how to restrict traffic on vti

Hello,

I understand that crypto-map allows you to match the source IPs before routing through the VPN.

Since IPSec static VTI do not provide crypto maps, how do you restrict the type of traffic which can pass through it.

 

Following is my next question :

Me: 1.1.1.1 - My internal network : 192.168.1.0/24, 192.168.2.0/24

Client: 2.2.2.2 - My client's internal network : 10.0.0.0/8

I want 192.168.1.0/24 to reach 10.0.0.0/8 through the VPN but 192.168.2.0/24 should not be able to access 10.0.0.0/8

How would I do that? A few examples would be good to help me understand this.
 
crypto keyring equinix-XX-keyring
  local-address 1.1.1.1
  pre-shared-key address 2.2.2.2 key keypassword
 
crypto isakmp policy 200
 encr aes
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp profile equinix-XX-isakmp
   keyring equinix-XX-keyring
   match identity address 2.2.2.2 255.255.255.255
   local-address 1.1.1.1

crypto ipsec transform-set equinix-XX-transform esp-aes esp-sha-hmac
 mode tunnel

crypto ipsec profile equinix-XX-ipsec
 set transform-set equinix-XX-transform
 set pfs group2
 
 
interface Tunnel1
 ip address 169.254.249.38 255.255.255.252
 ip tcp adjust-mss 1387
 tunnel source 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile equinix-XX-ipsec
 ip virtual-reassembly

1 REPLY
Cisco Employee

Access-lists, FW (ZBF, CBAC)

Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions). 

164
Views
0
Helpful
1
Replies
CreatePlease to create content