07-03-2013 12:57 AM - edited 03-04-2019 08:21 PM
07-03-2013 02:08 AM
Public Interface, define allowed protocols requierd to create tunnel (GRE, IPSEC,) from the public address of the other router.
On the Tunnel interface for site to site (privately addressed machines, assuming you want to control this traffic between sites)
Regards Neil
07-03-2013 05:30 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
If you want to "... allow the pubic ip addresses to talk to each other, ...", and as a VPN tunnel is communications between the public IPs, what are you trying to restrict?
If you want to restrict traffic to your router's public IPs, to just the VPN tunnel traffic, you then only allow traffic that appears to be VPN traffic with a destination IP of your public IP. BTW, this doesn't preclude still allowing transit traffic through the same interface, as such's destination IP shouldn't be your router's public IP; although you can block that traffic too.
07-03-2013 07:18 AM
basically, I want to allow the public ip's on the outside interface, so the vpn will form
then I want to restrict what traffic comes through the site to site vpn tunnel. Obviously the interesting traffic is defined via the access list and crypto map, but it there a way to limit traffic on the vpn side so only allowing certain internal networks to go across it, or is this only done via the acl and crypto map ?
cheers
07-03-2013 07:40 AM
You would need to define only the traffic within the interested list allowed to bring the tunnel up. If it were a GRE based link the you could apply this to the Tunnel interface.
Regards Neil
http://uk.linkedin.com/pub/neil-grant/20/5b0/267
07-03-2013 07:52 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
As also posted by Neil, to control the traffic across the tunnel interface, apply an ACL to the tunnel interface.
To limit physical interface to your VPN, you would apply the ACL to the physical interface.
BTW, if you're equipment supports it, you might consider VTI tunnels rather than GRE/IPSec. Config is a clearer and eliminates the GRE overhead.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: