karsten.iwen wrote:
The ACL that you reference with "match address" only controls the traffic that can be processed by the VPN-Tunnel. 

Karsten can you elaborate on this statement a little more please?  Also I was able to sniff the traffic coming from the VPN tunnel that was unencrypted and found that only the internal hosts specified on the ACL are being contacted from the external subnet's.  So in a way that I dont really understand, the NMI-ENCRYPT ACL is filtering external traffic as it should.  Now to tighten things up... I want to remove the broad statements and replace them with the following...

10 permit tcp host 10.63.127.120 eq 80 10.46.101.101 0.0.0.3

20 permit tcp host 10.63.127.150 eq 80 10.46.101.101 0.0.0.3

30 permit tcp host 10.63.70.205 eq 80 10.46.101.101 0.0.0.3

40 permit tcp host 10.63.127.180 eq 80 10.46.102.101 0.0.0.3

50 permit tcp host 10.63.70.205 eq 80 10.46.102.101 0.0.0.3

60 permit tcp host 10.63.13.6 eq 22 host 10.46.102.103

70 permit tcp host 10.63.67.8 eq 4182 host 10.46.104.101

80 permit udp host 10.63.67.8 eq 137 host 10.46.104.101

90 permit ip host 10.63.127.120 10.0.4.0 0.0.0.255

100 permit ip host 10.63.70.205 10.0.4.0 0.0.0.255

110 permit ip host 10.63.127.180 10.0.4.0 0.0.0.255

120 deny ip any any log

You could include port-number in the crypto-acl, but keep in mind that in general the ACL on the other side should be mirrored to this ACL. This config makes all overcomplicated. You are using the wrong tool for the job here. The crypto-acl is for defining the encryption-domains, and the tunnel-ACLs ("set ip access-group ...") is for access-control.

And of course you have to make sure that your subnets are alligned on subnet-borders. Your first five destinations are not.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Karsten

After searching and reading I finally decrypted what your were saying.  I found that the match address command specifies what traffic will be encrypted by the crypto map. So permit means encrypt and deny means do not encrypt.  I'm sure this is exactly what you said but I really couldn't understand your terminology...  however, thanks for all your help!

Miguel

Yes, that's exactly what the crypto-ACL does. Sorry that I implied that without explaining the way the ACL does in that case.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Karsten,

If I apply this to the outside crypto map NMI-VPN will it work?  I only want to restrict access into our network and I'm not concerned if my internal network of 10.63.X.X talks to anyone in 10.46.X.X/16 or 10.0.4.X/24.

set ip access-group NMI-VPN-FILTER-OUT out

ip access-list extended NMI-VPN-FILTER-OUT

     10 permit tcp 10.46.101.100 0.0.0.3 host 10.63.127.120 eq 80

     20 permit tcp 10.46.101.100 0.0.0.3 host 10.63.127.150 eq 80

     30 permit tcp 10.46.101.100 0.0.0.3 host 10.63.70.205 eq 80

     40 permit tcp 10.46.102.100 0.0.0.3 host 10.63.127.180 eq 80

     50 permit tcp 10.46.102.100 0.0.0.3 host 10.63.70.205 eq 80

     60 permit tcp host 10.46.102.103 host 10.63.13.6 eq 22

     70 permit tcp host 10.46.104.101 host 10.63.67.8 eq 4182

     80 permit udp host 10.46.104.101 host 10.63.67.8 eq 137

     90 permit ip 10.0.4.0 0.0.0.255 host 10.63.127.120

     100 permit ip 10.0.4.0 0.0.0.255 host 10.63.127.180

     110 permit ip 10.0.4.0 0.0.0.255 host 10.63.70.205

     120 deny ip any any log

If you want to control the traffic flowing into your network you have to use the "in" parameter in the "set ip access-group" command. And for the Traffic flowing from your network to the remote-network you have to include the return-traffic into the ACL or activate the IOS-firewall on the router.


Sent from Cisco Technical Support iPad App

Karsten,

Thanks for all your help.  I usually get mixed up over the "in" and "out" parameter.  So the "out" on applies to anything coming from my internal network and the "in" applies to anything coming from the external network?

Also will this work?

ip access-list extended NMI-VPN-FILTER-IN

      10 permit tcp 10.46.101.100 0.0.0.3 host 10.63.127.120 eq 80

      20 permit tcp 10.46.101.100 0.0.0.3 host 10.63.127.150 eq 80

      30 permit tcp 10.46.101.100 0.0.0.3 host 10.63.70.205 eq 80

      40 permit tcp 10.46.102.100 0.0.0.3 host 10.63.127.180 eq 80

      50 permit tcp 10.46.102.100 0.0.0.3 host 10.63.70.205 eq 80

      60 permit tcp host 10.46.102.103 host 10.63.13.6 eq 22

      70 permit tcp host 10.46.104.101 host 10.63.67.8 eq 4182

      80 permit udp host 10.46.104.101 host 10.63.67.8 eq 137

      90 permit tcp host 10.0.4.205 host 10.63.70.205 eq 80

      110 deny ip any any log

ip access-list extended NMI-VPN-FILTER-OUT

      10 permit ip any 10.46.0.0 0.0.255.255

      20 permit ip any 10.0.4.0 0.0.0.255

      50 deny any any

yes, coming from your VPN-peer, only the defined communication is allowed which is controlled with your ACL NMI-VPN-FILTER-IN. For your OUT-Filter, you have to decide of that is really needed. If your crypto-ACL doesn't include anything else then 10.46/16 and 10.0.4.0/24, then you don't need that filter. It would only be needed if you want to restrict certein systems to communicate to the other side. If you don't specify your "out"-filter, then everything that is specified in your crypto-ACL will be allowed.

But be aware that these ACLs are not stefull. If you telnet from your inside host (e.g. 10.63.127.120) to a remote host (e.g. 10.0.4.100) then the return-packet would be matched at seq. 110 of the ACL NMI-VPN-FILTER-IN.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni