02-24-2014 03:23 AM - edited 03-04-2019 10:25 PM
Guys,
I have two WAN connection, on both I have two IPSEC VPN. For one VPN I would like to apply access list which will limit access from remote LAN to my LAN.
My LAN: 10.0.0.0/23 , remote LAN: 192.168.220.0/24 .
In example I tried to limit access to host 10.0.0.100 with following config:
# ip access-extended 150
(config-ext-nacl)# permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100
(config-ext-nacl)# deny ip 192.168.220.0 0.0.0.255 any
I applied above access list to my LAN interface as incoming rule but this caused no Internet access from my LAN.
Question is if above approach is correct and where such ACL should be applied.
Thanks in advance for any tip.
Piotr
Solved! Go to Solution.
02-24-2014 11:08 AM
Piotr
Ahhh, i understand now, thanks.
The problem you have is acls are not stateful so if you limit traffic from 192.168.200.x to only a few clients then that also means that the acl applies the other way as well.
So if you have an acl that blocks access to only a few of your 10.x.x.x clients from 192.168.220.x then this acl also blocks the return traffic from any of your 10.x.x.x clients to 192.168.220.x.
However routers support reflexive acls which means you can only allow traffic back in if you have initaited the connection so you could -
1) allow 192.168.200.x to only initiate connections to certain 10.x.x.x clients
whilst at the same time
2) allow all your 10.x.x.x clients to initiate connection to 192.168.200.x clients
see this link for reflexive acls -
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html
Jon
02-26-2014 12:16 PM
Piotr
Can you try this -
ip access-list extend ACL-test-outbound
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101
evaluate test-reflect
ip access-list ACL-test-inbound
permit ip any any reflect test-reflect
int gi0/0
ip access-group ACL-test-inbound in
ip access-group ACL-test-outbound out
and then retest.
Jon
02-24-2014 03:41 AM
Piotr
All acls have an implicit "deny ip any any" at the end so you blocked all traffic from your LAN to the internet with your acl.
You need to remove that acl and -
1) if you are using crypto map acls then simply have an acl that only allows the traffic you want. If there is no entry in the acl then the traffic will not be encrypted
2) if you are using VTI apply your acl to the VTI in an outbound direction
Jon
02-24-2014 03:43 AM
Hi Jon,
I am using crypto-map feature. Right now I have following ACL there:
permit ip 10.0.0.0 0.0.1.255 192.168.220.0 0.0.0.255
Do I understand you correctly, that I should replace it with:
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100
in order go give bidirectional access to VPN from whole 192.168.220.0 network to host 10.0.0.100 ?
Piotr
02-24-2014 03:49 AM
Piotr
What do you actually want to do ie. is it just that host that needs connection ?
Your first acl is the correct way in terms of source and destination IPs from your end, not the second one.
If you are using a crypto map acl on the traffic that is matched by the acl will be allowed through the tunnel.
Note also that if you are changing the acl you will need to modify it at the other end as well ie. the crypto acls must match in terms of source and destination IP, they are simply reversed ie. your source becomes their destination etc.
An altenative is to allow traffic through the tunnel and then apply an acl outbound to the LAN but you need to be careful you don't cut off internet again.
It's not clear what you are trying to achieve ie. which traffic you want to be encrypted.
02-24-2014 07:57 AM
Jon,
I created following extended ACL:
10 permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100
11 permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101
12 permit ip 10.0.0.0 0.0.1.255 192.168.220.0 0.0.0.255
20 deny ip 192.168.220.0 0.0.0.255 any
30 permit ip any any
All hosts from 192.168.220.0/24 network can reach hosts 0.100 and 0.101 . I was quite sure, that rule No. 12 will cause, that every hosts in 10.0.0.0/23 will be able to access every host in 192.168.220.0 . Unfortunatel, with above config, only hosts 0.100 and 0.101 can reach 192.168.220.0/24 network.
Is it possible to achive such configuration or should I live with this?
Piotr
02-24-2014 10:47 AM
Piotr
Can you specify exactly what you are trying to do in terms of access ie. what IPs do you want to allow to the remote network 192.168.220.0.24
Is there a reason you do not want to modify the crypto map acl ?
Is it beacause it would have to be changed at the other end as well.
I am trying to help but you are not making it clear what access you actually want between these IPs ?
Jon
02-24-2014 10:56 AM
Jon,
jon.marshall wrote:
Is there a reason you do not want to modify the crypto map acl ?
Is it beacause it would have to be changed at the other end as well.
I do not have cotrol over router in network 192.168.220.0/24 so I cannot use crypto map acl aproach (as far as I understood you in previous posts). 192.168.220.0/24 network is my clinet network.
jon.marshall wrote:
Can you specify exactly what you are trying to do in terms of access ie. what IPs do you want to allow to the remote network 192.168.220.0.24
I would like to limit access from 192.168.220.0/24 network to only several hosts in my LAN. In same time, because I do not care about the security in 192.168.220.0/24 network, I would like to give possibility for all hosts in my network (10.0.0.0/23) to access network 'after' the VPN (192.168.220.0/24).
Hope, that it explains everything
Piotr
02-24-2014 11:08 AM
Piotr
Ahhh, i understand now, thanks.
The problem you have is acls are not stateful so if you limit traffic from 192.168.200.x to only a few clients then that also means that the acl applies the other way as well.
So if you have an acl that blocks access to only a few of your 10.x.x.x clients from 192.168.220.x then this acl also blocks the return traffic from any of your 10.x.x.x clients to 192.168.220.x.
However routers support reflexive acls which means you can only allow traffic back in if you have initaited the connection so you could -
1) allow 192.168.200.x to only initiate connections to certain 10.x.x.x clients
whilst at the same time
2) allow all your 10.x.x.x clients to initiate connection to 192.168.200.x clients
see this link for reflexive acls -
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html
Jon
02-25-2014 02:25 AM
Hi Jon,
It's the first time when I hear about reflexive ACL.
After reading documentation and 'how-to's' I created something like this:
ip access-list extended ACL-test-in
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100 reflect test-reflect
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101 reflect test-reflect
ip access-list extended ACL-test-out
evaluate test-reflect
int g0/0 # it's LAN interface on my router
ip access-group ACL-test-in in
ip access-group ACL-test-out out
Unfortunately it seems that I did it wrong, because any host in 192.168.220.0/24 network can reach any host in my 10.0.0.0/23 LAN.
What is more, when I do sh ip access-list ACL-test-in and ACL-test-out I do not see any entries.
I also applied same access-groups in WAN interface on which VPN is configured - without luck.
Any ideas?
02-26-2014 12:16 PM
Piotr
Can you try this -
ip access-list extend ACL-test-outbound
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100
permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101
evaluate test-reflect
ip access-list ACL-test-inbound
permit ip any any reflect test-reflect
int gi0/0
ip access-group ACL-test-inbound in
ip access-group ACL-test-outbound out
and then retest.
Jon
03-03-2014 02:03 AM
Awesome, works like a charm!
One more thing - ist it possible to apply this configuration on external interface rather on LAN one ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide