Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2029
Views
10
Helpful
4
Replies

ACL with IP Sec Site To Site VPN

jk865
Level 1
Level 1

‎01-03-2022 09:21 AM

Hi 

 

I'm trying to configure a site-to-site VPN between three routers one of which is passive with multiple ACLs and I'm having a bit of a meltdown. Some of the ACLs work , the VPN works If I don't apply the ACLs as soon as I apply the ACLs it stops working

 

Thanks In advnace 

 

The lab specifies there should be four ACLs : 

 

NETWORK 2 and NETWORK 1 should be able to communicate via the VPN, without restrictions.

 

NETWORK 2 should be able to communicate to the ciscolab.com server but without the VPN.

 

NETWORK 1 can only communicate to the INTERNET if the communication is initiated by a NETWORK 1 user. This means that communication initiated by INTERNET devices should not be allowed.

 

INTERNET devices can communicate only to the pocoloco.com device and only for HTTPS communication. < This seems to work. 

 

Router 1 

 

ip access-list extended VPN Applied with VPN 

 deny ip host 172.10.0.51 172.10.0.0 0.0.0.31

 permit ip 172.10.0.32 0.0.0.15 172.10.0.0 0.0.0.31

 permit ip 172.10.0.48 0.0.0.7 172.10.0.0 0.0.0.31

ip access-list extended INTERNET Applied S/0/0/0 OUTBOUND

 permit ip 172.10.0.32 0.0.0.15 209.165.100.96 0.0.0.31

 permit ip 172.10.0.48 0.0.0.7 209.165.100.96 0.0.0.31

ip access-list extended INTERNET_TO_CISCOLAB.COM Applied s0/0/0 INBOUND

 permit tcp 209.165.100.96 0.0.0.31 host 172.10.0.51 eq 443

 deny ip any any

 

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

!

crypto isakmp key zDGkUPC5! address 209.165.100.134

!

!

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp 

 description VPN connection to Router 2 

 set peer 209.165.100.134

 set transform-set VPN-SET 

 match address VPN

 

router 2 

 

ip access-list extended VPN

access-list 110 permit ip 172.10.0.0 0.0.0.31 172.10.0.32 0.0.0.15

access-list 110 permit ip 172.10.0.0 0.0.0.31 172.10.0.48 0.0.0.7

 

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

!

crypto isakmp key zDGkUPC5! address 209.165.100.129

!

!

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp 

 description VPN connection to Router 1

 set peer 209.165.100.129

 set transform-set VPN-SET 

 match address VPN

Preview file
268 KB
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎01-03-2022 09:32 AM

IPSec is P2P protocol so connect one Router to two different Router is not acceptable.

0 Helpful

jk865
Level 1
Level 1
In response to MHM Cisco World

‎01-03-2022 09:35 AM

Hi 

 

Sorry I wasn't very clear in what I said I don't want to connect to two routers just one, the VPN works fine without the ACL's when I apply the ACL's before or after configuring the VPN nothing works 

 

Thanks 

0 Helpful

Rob Ingram
VIP
VIP

‎01-03-2022 09:37 AM - edited ‎01-05-2022 04:02 AM

@jk865 you've already asked the same question in another post.

https://community.cisco.com/t5/vpn/site-to-site-ipsec-vpn-in-packet-tracer/m-p/4526042#M281333

 

You need to bear in mind ACLs are stateless.

 

jk865
Level 1
Level 1
In response to Rob Ingram

‎01-03-2022 10:06 AM

Sorry I thought I had posted it in the wrong place I wasn’t intending on wasting anyone’s time.

 

I’ve just hit a wall and need some help.

 

Thanks 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card