ACL with IP Sec Site To Site VPN

jk865 — Mon, 03 Jan 2022 17:21:11 GMT

I'm trying to configure a site-to-site VPN between three routers one of which is passive with multiple ACLs and I'm having a bit of a meltdown. Some of the ACLs work , the VPN works If I don't apply the ACLs as soon as I apply the ACLs it stops working

Thanks In advnace

The lab specifies there should be four ACLs :

NETWORK 2 and NETWORK 1 should be able to communicate via the VPN, without restrictions.

NETWORK 2 should be able to communicate to the ciscolab.com server but without the VPN.

NETWORK 1 can only communicate to the INTERNET if the communication is initiated by a NETWORK 1 user. This means that communication initiated by INTERNET devices should not be allowed.

INTERNET devices can communicate only to the pocoloco.com device and only for HTTPS communication. < This seems to work.

Router 1

ip access-list extended VPN Applied with VPN

deny ip host 172.10.0.51 172.10.0.0 0.0.0.31

permit ip 172.10.0.32 0.0.0.15 172.10.0.0 0.0.0.31

permit ip 172.10.0.48 0.0.0.7 172.10.0.0 0.0.0.31

ip access-list extended INTERNET Applied S/0/0/0 OUTBOUND

permit ip 172.10.0.32 0.0.0.15 209.165.100.96 0.0.0.31

permit ip 172.10.0.48 0.0.0.7 209.165.100.96 0.0.0.31

ip access-list extended INTERNET_TO_CISCOLAB.COM Applied s0/0/0 INBOUND

permit tcp 209.165.100.96 0.0.0.31 host 172.10.0.51 eq 443

deny ip any any

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key zDGkUPC5! address 209.165.100.134

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

description VPN connection to Router 2

set peer 209.165.100.134

set transform-set VPN-SET

match address VPN

router 2

ip access-list extended VPN

access-list 110 permit ip 172.10.0.0 0.0.0.31 172.10.0.32 0.0.0.15

access-list 110 permit ip 172.10.0.0 0.0.0.31 172.10.0.48 0.0.0.7

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key zDGkUPC5! address 209.165.100.129

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

description VPN connection to Router 1

set peer 209.165.100.129

set transform-set VPN-SET

match address VPN

Re: ACL with IP Sec Site To Site VPN

MHM Cisco World — Mon, 03 Jan 2022 17:32:59 GMT

IPSec is P2P protocol so connect one Router to two different Router is not acceptable.

Re: ACL with IP Sec Site To Site VPN

jk865 — Mon, 03 Jan 2022 17:35:33 GMT

Sorry I wasn't very clear in what I said I don't want to connect to two routers just one, the VPN works fine without the ACL's when I apply the ACL's before or after configuring the VPN nothing works

Thanks

Re: ACL with IP Sec Site To Site VPN

Rob Ingram — Wed, 05 Jan 2022 12:02:44 GMT

@jk865 you've already asked the same question in another post.

https://community.cisco.com/t5/vpn/site-to-site-ipsec-vpn-in-packet-tracer/m-p/4526042#M281333

You need to bear in mind ACLs are stateless.

Re: ACL with IP Sec Site To Site VPN

jk865 — Mon, 03 Jan 2022 18:06:39 GMT

Sorry I thought I had posted it in the wrong place I wasn’t intending on wasting anyone’s time.

I’ve just hit a wall and need some help.

Thanks

topic Re: ACL with IP Sec Site To Site VPN in Network Security

ACL with IP Sec Site To Site VPN

Re: ACL with IP Sec Site To Site VPN

Re: ACL with IP Sec Site To Site VPN

Re: ACL with IP Sec Site To Site VPN

Re: ACL with IP Sec Site To Site VPN