Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Securing Site to Site VPN

Hi All,

We are terminating a VPN on an 1800 series router. The networks that are negotiated during the phase 2 part of the setup are shown below, using the ACL...

ip access-list extended VPN_ACL

permit ip 192.168.200.0 0.0.0.255 192.168.40.0 0.0.0.255

This then allows all IP traffic between the 2 networks. My question is this....

What would be the best way to restrict the traffic, use an ACL outbound on the internal interface??? or any other recommendations would be great....

Thanks in advance

Steve

5 REPLIES
New Member

Re: Securing Site to Site VPN

Hi,

If you use a tunnel interface, then you can put an ACL directly on it. If you don't, then think about it, but if you allow only the traffic that should be authorized in your tunnel on your crypto ACL, then I think traffic not matching will be dropped, or at least it won't be encapsulated then your ISP will drop it.

New Member

Re: Securing Site to Site VPN

Thanks so much for your reply. How would I use the tunnel interface? I dont suppose you have any good documentation you could point me to.

Cheers again

Steve

New Member

Re: Securing Site to Site VPN

Here is an exemple using virtual tunnel interface, it's very simple

http://www.ciscoblog.com/archives/2006/08/vpn_virtual_tun.html

create a tunnel interface with source/dest pub address, private address, then assign an IPSEC profile for protection (which contains a transform set).

New Member

Re: Securing Site to Site VPN

The problem is the other end of the tunnel is not in our control.

The VPN is currently setup using (what I call) the standard VPN setup, therefore I am reluctant, even unsure, as to whether the tunnel interfaces would help us, as we have no shared IP ranges to use as the tunnnel interface IP address.

Also, restricting the traffic on the phase 2 ACL doesnt seem to work. Do you, or anyone else have any other ideas?

Thanks and regards

Steve

New Member

Re: Securing Site to Site VPN

Hi, I think you can still use a tunnel interface even if the other end use a crypto map, but that should be tested before.

Other solutions I see would be to put an ACL on the insides interfaces, as once the traffic is tunneled, you won't be able to filter it on the outside if, but you can still modify the crypto acl to cipher only one part of the traffic, and drop it with an outside ACL.

Another solution would be to use PBR to null0 interface for traffic that shouldnt leave by the tunnel.

249
Views
0
Helpful
5
Replies