Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Port based ACL filter on L2L VPN with Routers

Is it possible to define port-based ACL's (with-in crypto ACL) on L2L (site-to-site) VPN's with routers? Cisco seems to say it is possible, but not recommended.

Thanks,

Brandon

11 REPLIES

Re: Port based ACL filter on L2L VPN with Routers

Brandon-

It is possible (we have one tunnel like that). The ACLs must match exactly on each side.

Hope that helps.

New Member

Re: Port based ACL filter on L2L VPN with Routers

Hi Collin,

So something like the below crypto-ACL on a router should work so long as the peer's ACL is a mirror image?

ip access-list extended xyz-company

permit tcp host 10.10.10.10 host 11.150.116.3 eq telnet 22 ftp www 443 8080 3052 5631 5632

permit tcp host 10.10.10.10 host 11.150.116.3 eq telnet 22 ftp www 443 8080 3052 5631 5632

Thanks,

Brandon

Re: Port based ACL filter on L2L VPN with Routers

Yup

New Member

Re: Port based ACL filter on L2L VPN with Routers

Very cool.

I wonder why Cisco says it "should Work", but is not recommended on IOS (routers)?

Thanks,

Brandon

Re: Port based ACL filter on L2L VPN with Routers

It is the most common thing people get wrong when configuring VPN's. A simple subnet-to-subnet ACL is a lot easier to troubleshoot.

New Member

Re: Port based ACL filter on L2L VPN with Routers

I got, makes sense. So configuring a basic L2L (site-to-site) VPN with between simple host or subnets AND filtering by just "IP" is much, much easier than filtering by protocol since you have to have an exact match on both sides.

Then it is not becuase of a performance or functionality issue that Cisco recommends against it.

Thanks,

Brandon

New Member

Re: Port based ACL filter on L2L VPN with Routers

Hi Collin,

I am having a bit of trouble trying to get this to work in a test lab using the routers. Can you please send a ACL and the key config snippets?

Thanks,

Brandon

Re: Port based ACL filter on L2L VPN with Routers

Brandon-

This has a little extra since we have remote access VPN as well, but it should help in your testing.

New Member

Re: Port based ACL filter on L2L VPN with Routers

Hi Collin,

Thanks for the example. Unless I am over looking it, isn't there supposed to be a route statement for the VPN to know how to get to the remote host?

Thanks,

Brandon

Re: Port based ACL filter on L2L VPN with Routers

That's one of those weird things. In this example I don't have one, but in some others I need them. I've never found a determining factor of when one is needed or not.

New Member

Re: Port based ACL filter on L2L VPN with Routers

That's odd, and interesting at the same time.;-)

Thanks,

Brandon

562
Views
0
Helpful
11
Replies
CreatePlease to create content