11-07-2023 08:24 AM
Hi,
I have a Cisco ISR 4451 with several internet facing VRF interfaces with crypto maps mounted and need to close all network ports other than IPsec without affecting the tunnels. An ACL directly in the interface will do the job?
Thank you in advance.
Solved! Go to Solution.
11-07-2023 11:11 AM
No not effect it.
The traffic is encapsulate inside tunnel ipsec head.
The acl effect outer head only' and inside traffic will not effect.
Thanks A Lot
MHM
11-07-2023 08:25 AM
Yes, Sure
Block ports except the IPsec in ACL applied to interface
Thanks A Lot
MHM
11-07-2023 08:31 AM
ISAKMP - UDP 500
ESP - Protocol 50 <<- some times Cisco allow you to direct set ESP instead of it ports
ISAKMP NAT-Traversal - UDP 4500 (NAT-T)
IPSEC Over UDP - UDP 10000 (Default)
IPSEC Over TCP - TCP 10000 (Default)
11-07-2023 08:27 AM
@rarellano An ACL inbound on the outside interface would suffice, you would need to permit udp/500 and ESP, if traffic is NAT translated in the path between the peers then also permit udp/4500.
11-07-2023 11:08 AM
Thank you,
Just to confirm, if I apply+ an ACL directly on the interface, it won't affect the allowed traffic through the tunnels, i.e.
crypto map MAP 5 ipsec-isakmp
description
set peer xxx.xxx.xxx.xxx
set transform-set AES256-SHA
set pfs group5
set isakmp-profile adient-peer
match address 110
interface GigabitEthernet0/0/3.109
encapsulation dot1Q 109
ip vrf forwarding VRF NAME
ip address 201.174.XX.XX 255.255.255.248
ip flow monitor NFAmonitor input
crypto map MAP
access-group 199 in
access-list 199 permit udp host 201.174.XX.XX any eq 500
access-list 199 deny ip 201.174.XX.XX any
11-07-2023 11:11 AM
No not effect it.
The traffic is encapsulate inside tunnel ipsec head.
The acl effect outer head only' and inside traffic will not effect.
Thanks A Lot
MHM
11-07-2023 11:12 AM - edited 11-07-2023 11:14 AM
@rarellano you need more than just udp/500 in your ACL 199, you will also need ESP and udp/4500 if nat. The allowed traffic will be encapsulated in the encrypted tunnel, either using ESP or udp/4500.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide