04-27-2004 10:04 AM - edited 02-20-2020 09:24 PM
Following cisco command references, crypto access-list should be configured in a mirrored way on both VPN endpoints. E.g.:
VPN_GW_1:
access-list 100 permit host 172.16.1.1 host 172.16.2.1
VPN_GW_2:
access-list 100 permit host 172.16.2.1 host 172.16.1.1
Is this security check done for port numbers as well?
Or is this check only done for ip addresses (... I thought that IPSec RFCs only want to have ip addresses checked ...?)?
Thanks in advance
Edgar
04-27-2004 10:54 AM
i believe that this is done for IP addresses only. but, i would prefer a more 'official' response from one of the Cisco guys.
what i normally do is add an additional ACL to restrict traffic that will be encrypted.
04-30-2004 08:16 AM
Edgar
It depends on what you are attempting to accomplish. The crypto access list identifies "interesting" traffic which will be protected by IPSec (very much like the access list which can be used by Dialer List identifies interesting traffic for Dial Access). Note that you are not permitting or denying the traffic, only whether the traffic is processed by IPSec.
So if you want all traffic between the two addresses to be processed by IPSec your access list should be access-list 100 permit ip host 172.16.1.1 host 172.16.2.1 and if you want telnet encrypted and you want web browsing to be in the clear then your access list should specify a permit at the port level for telnet and specify a deny at the port level for http.
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide