access list for vpn traffic?
in [Cisco]
|
From: Rob on 15 Jun 2010 13:53 We have a 3725 (IOS 12.4(5a) which serves a number of VPNs with crypto map statements like this: crypto map vpn-4 168 ipsec-isakmp set peer a.b.c.d set transform-set aes-sha match address vpn-168 ip access-list extended vpn-168 permit ip 172.16.0.0 0.15.255.255 172.31.32.168 0.0.0.7 AFAIK, the access list in this config only determines what traffic is expected encrypted and what traffic can be unencrypted. Is it also possible to add an access list to this config that determines what traffic is allowed through this tunnel? I.e. that is applied after decryption. I would like to restrict the user at the other end of the tunnel from accessing certain services on the local network. Right now I have an outbound access list on the LAN interface, but it seems kind of backward. One would want to filter at the source.
From: Uli Link on 16 Jun 2010 03:26 Rob schrieb: > We have a 3725 (IOS 12.4(5a) which serves a number of VPNs with crypto > map statements like this: > > crypto map vpn-4 168 ipsec-isakmp > set peer a.b.c.d > set transform-set aes-sha > match address vpn-168 > > ip access-list extended vpn-168 > permit ip 172.16.0.0 0.15.255.255 172.31.32.168 0.0.0.7 crypto map vpn-4 168 ipsec-isakmp set ip access-group <acl-name> in|out <http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html> -- ULi
From: Rob on 16 Jun 2010 03:42 Uli Link <VonRechts.NachLinks(a)usenet.arcornews.de> wrote: > Rob schrieb: >> We have a 3725 (IOS 12.4(5a) which serves a number of VPNs with crypto >> map statements like this: >> >> crypto map vpn-4 168 ipsec-isakmp >> set peer a.b.c.d >> set transform-set aes-sha >> match address vpn-168 >> >> ip access-list extended vpn-168 >> permit ip 172.16.0.0 0.15.255.255 172.31.32.168 0.0.0.7 > > crypto map vpn-4 168 ipsec-isakmp > set ip access-group <acl-name> in|out > > <http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html> Thank you! I remember that I worked with versions that passed the traffic through the interface incoming ACL both before and after decryption (and that I found it strange) but I was not aware where the second check had moved.
|
Pages: 1 Prev: Basic MPLS explained on xpresslearn.com Next: VLAN IP and DHCP |