Thanks,

but I removed:

These lines in the inbound ACL make sure the tunnel itself remains up

permit ahp host x.x.x.x any

permit esp host x.x.x.x any

permit udp host x.x.x.x any eq isakmp

permit udp host x.x.x.x any eq non500-isakmp

and the tunnel stayed up too

"If you want to limit access it could be done on the interface towards your LAN (outbound ACL) or on the remote site (better)."

Do you mean I should just get my Cisco ASA to lock down the traffic?

Thanks

You are trying to apply an ACL to encrypted traffic. Your firewall / router is allowing the traffic because it is looking at the tunnel header. You need to apply the inbound_acl inbound on the inside interface before it is encrypted.

The other option is to adjust your crypto acl to not define that traffic as "interesting".

Hi, I'm getting a little confused so I do apologies.

1.) So the "inbound_acl" that I put on the dialer 1 interface inbound to the remote office LAN is being bypassed because the traffic is already encrypted through the VPN? So this is why the ACL is not required?

2.) So what interface should it be on as I only have dialer 1 and VLAN 1 for the LAN.

3.) These lines in the inbound ACL make sure the tunnel itself remains up

permit ahp host x.x.x.x any

permit esp host x.x.x.x any

permit udp host x.x.x.x any eq isakmp

permit udp host x.x.x.x any eq non500-isakmp

but I removed the ACL "inbound_acl" and the tunnel remains up still is this right?

4.) Because this router is setup as a VPN does it mean that traffic is trusted and and ACL/ACE are not required, but can be if you want to lock it down?

Thanks and sorry for the questions, it's funny as I had a Cisco CCNP it do do this with me and he created the config.

1. I am not saying it is being bypassed. The portion of the ACL that deals with private IP addresses will never match because that portion of the packet has been encrypted.

2. I can only see a portion of the configuration and I don't know what your network looks like so it is impossible to say. Where do all these 192.168 networks reside? Where are the 172.19 networks?

3. It is true that if you are going to apply an ACL to the Dialer1 interface you need to have protocol 50 and port 500 permitted but the tunnel does not require an acl. If you remove the ACL the VPN will still connect. The crypto ACL is the only ACL that is required.

access-list 101 permit ip 172.19.2.0 0.0.0.255 any

4. Again the router doesn't require an ACL but it would certainly be best practice to include one.

I am going to assume that the 192.168 networks are on the ASA side and the 172.19 networks are on the 877 side.

If that is true you might put this portion of the ACL on the inside interface of your ASA

permit ip 192.168.20.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.40.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.90.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 172.19.2.0 0.0.0.255

permit udp host 192.168.21.19 host 172.19.2.1 eq snmp

Leave this portion of the ACL where it is

permit udp any any eq isakmp

permit esp any any

deny icmp any any timestamp-request

deny icmp any any timestamp-reply

permit icmp any any

permit udp any any eq ntp

permit ahp host 80.171.150.66 any

permit esp host 80.171.150.66 any

permit udp host 80.171.150.66 any eq isakmp

permit udp host 80.171.150.66 any eq non500-isakmp

I appreciate your time and help very much.

1.) So the ACl has to be applied before encryption or after, thing is I only have 2 interfaces, dialer 1 for the WAN and vlan 1 for the LAN.

2.) You are right - The 192.168 IP are at the HQ where the Cisco ASA is, the 172.19 range is at the remote office where this config is from.

3.) SI see I did add an ACL to the dialer 1 but had no ACE's in the ACL and the VPN worked fine, is add port 50 and 500 inbound then just good practice to add them?

4.) I see you get the ASA to control the inbound access to the ASA, is there any way to get the 877 to control this?

There are 2 ways to control what traffic can transition the tunnel.

1. You can use the crypto ACL and only include those addresses that you want to access the far end network.

2. You can use an ACL on the inside interface (either inbound or outbound) to block the traffic before it enters or as it exits the tunnel.

It is most common to block traffic with an ACL on the inside interface before it enters the tunnel because it prevents the traffic from wasting your bandwidth only to be blocked on the far side.

If you had an ACL applied to the Dialer interface with no ACE it would only include a deny any any. I can't explain that. A VPN tunnel would require these ACE entries at a minimum.

permit udp any any eq isakmp

permit esp any any

1.) I understand, I could just remove then "any" and add the subnets over at the ASA side, can you confirm if this is best practice? Would this mean all ports are open for these ranges (no port blocking)?

2.) When you say "inside interface" I understand this for the ASA, but would this be the dialer 1 or VLAn 1 interface on the 877?

2.1) "It is most common to block traffic with an ACL on the inside interface before it enters the tunnel because it prevents the traffic from wasting your bandwidth only to be blocked on the far side." is this both side of the tunnel?

3.) I'm pretty sure I removed my ACL and left the "ip access-group inbound_acl in" on the dialer 1 only and it still worked. Did you say it would be bypassed anyway because of encryption.

This has all come about because I can't seem to git this inbound ACL on the dialer 1 to do take notice. Can I do a test to see if it can block any inbound traffic from the ASA?

1. I wouldn't recommend using the crypto ACL to filter traffic. It definitely isn't best practice.

2. It would be the VLAN 1 interface.

2.1 Yes both sides of the tunnel. To filter 192.168 traffic from reaching the 172 network you would place an ACL on the inside interface of the ASA in the inbound direction. To filter 172 traffic from the 192 network you would place the ACL on the VLAN 1 interface in the inbound direction.

If you want to test this try adding an ACL on the VLAN1 int. in the outbound direction on the 877.

ip access-list extended 877_V1_OUT

permit ip 192.168.20.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.30.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.40.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.70.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.80.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.90.0 0.0.0.255 172.19.2.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 172.19.2.0 0.0.0.255

permit udp host 192.168.21.19 host 172.19.2.1 eq snmp

Update:

1.) I kept the "inbound_acl in" on dialer1 and just had this ACL

ip access-list extended inbound_acl

permit udp host 80.171.150.66 any eq isakmp

permit esp host 80.171.150.66 any

deny ip any any log

It seems as soon as I added "permit esp host 80.171.150.66 any" everything from the ASA 192 side is given access to the 172 remote LAN. If I remove it then I can no longer access anything at the remote 172 site.

2.) Also (apologies for missing this) in the config I have:

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

interface Vlan1

ip address 172.19.2.1 255.255.255.0

ip inspect outbound in

What is this doing, is it dynamically opening the ports inbound ports to the VLAN? Well I removed it and nothing changed.

So to control traffic I should stick the ACL in the VLAN1?

That would work. Personally I never stick an ACL on a VLAN interface, only inspection rules, but rather on the physical interface (in your case probably FastEthernet). The 877 should have a physical connection to the LAN with one of the interfaces, and setting it up on the physical interface is better than the VLAN interface.

Although it would be better to configure the remote site to never allow the traffic into the tunnel in the first place.

Hi,

1.) There is an inspection rule inbound on the VLAN1 (same as the fastethernet), what does this do compared to an ACL?

ip inspect tcp reassembly queue length 64

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

interface Vlan1

ip address 172.19.2.1 255.255.255.0

ip inspect outbound in

2.) Also at the ASA 192 side where it seems any subnet I go on to try and access this 877 can, as I'm using "any" it's allowing any ip range? Then I should simply do the blicking on the ASA?