Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
1
Replies

Access list for Remote Access VPN in IOS

arnis
Level 1
Level 1

‎06-06-2007 02:53 AM - edited ‎03-11-2019 03:25 AM

Hi

I have a router configured with an IOS Firewall and remote access ipsec VPN.

users can connect in fine, but no traffic passes through the VPN tunnel unles I do the following in the outside accesslist

access-list 110 permit ip 192.168.195.0 0.0.0.255 any

192.168.195.0 is the networ assigned to VPN clients, and I have to permit that network all access into the router for this to work.

is this normal, or is there a way to narow it down.

Cheers

Arni

Labels:
0 Helpful
1 Reply 1

050878james
Level 1
Level 1

‎06-06-2007 03:07 AM

that`s correct, but I would never use "any" config you have used :

access-list 110 permit ip 192.168.195.0 0.0.0.255 any

In my case I have 2 LAN networks :

172.16.0.0 255.255.255.0

10.0.0.0 255.255.255.0

and my vpn clients have the ip pool:

192.168.0.0 255.255.255.0

So I created the ACL as below :

ip access-list extended ACL_CRYPTO_VPN_CLIENTS

deny ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

I denied access to VPN clients on the network 172.16.0.0 and permited them access to network 10.0.0.0.

You see? I have not used ANY because if You later add more than one LAN than is it more easy to handle the ACL, more easier to find out who have and who have not permission to access specified networks.

please rate if this helps

cheers

James

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card