cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15951
Views
0
Helpful
10
Replies

Access list for VPN connection

Piotr Pawlowski
Level 1
Level 1

Guys,

I have two WAN connection, on both I have two IPSEC VPN. For one VPN I would like to apply access list which will limit access from remote LAN to my LAN.

My LAN: 10.0.0.0/23 , remote LAN: 192.168.220.0/24 .

In example I tried to limit access to host 10.0.0.100 with following config:

# ip access-extended 150

(config-ext-nacl)# permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

(config-ext-nacl)# deny ip 192.168.220.0 0.0.0.255 any

I applied above access list  to my LAN interface as incoming rule but this caused no Internet access from my LAN.

Question is if above approach is correct and where such ACL should be applied.

Thanks in advance for any tip.

Piotr

2 Accepted Solutions

Accepted Solutions

Piotr

Ahhh, i understand now, thanks.

The problem you have is acls are not stateful so if you limit traffic from 192.168.200.x to only a few clients then that also means that the acl applies the other way as well.

So if you have an acl that blocks access to only a few of your 10.x.x.x clients from 192.168.220.x  then this acl also blocks the return traffic from any of your 10.x.x.x clients to 192.168.220.x.

However routers support reflexive acls which means you can only allow traffic back in if you have initaited the connection so you could -

1) allow 192.168.200.x to only initiate connections to certain 10.x.x.x clients

whilst at the same time

2) allow all your 10.x.x.x clients to initiate connection to 192.168.200.x clients

see this link for reflexive acls -

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html

Jon

View solution in original post

Piotr

Can you try this -

ip access-list extend ACL-test-outbound

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101

evaluate test-reflect

ip access-list ACL-test-inbound

permit ip any any reflect test-reflect

int gi0/0

ip access-group ACL-test-inbound in

ip access-group ACL-test-outbound out

and then retest.

Jon

View solution in original post

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Piotr

All acls have an implicit "deny ip any any" at the end so you blocked all traffic from your LAN to the internet with your acl.

You need to remove that acl and -

1) if you are using crypto map acls then simply have an acl that only allows the traffic you want. If there is no entry in the acl then the traffic will not be encrypted

2) if you are using VTI apply your acl to the VTI in an outbound direction

Jon

Hi Jon,

I am using crypto-map feature. Right now I have following ACL there:

permit ip 10.0.0.0 0.0.1.255 192.168.220.0 0.0.0.255

Do I understand you correctly, that I should replace it with:

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

in order go give bidirectional access to VPN from whole 192.168.220.0 network to host 10.0.0.100 ?

Piotr

Piotr

What do you actually want to do ie. is it just that host that needs connection ?

Your first acl is the correct way in terms of source and destination IPs from your end, not the second one.

If you are using a crypto map acl on the traffic that is matched by the acl will be allowed through the tunnel.

Note also that if you are changing the acl you will need to modify it at the other end as well  ie. the crypto acls must match in terms of source and destination IP, they are simply reversed ie. your source becomes their destination etc.

An altenative is to allow traffic through the tunnel and then apply an acl outbound to the LAN but you need to be careful you don't cut off internet again.

It's not clear what you are trying to achieve ie. which traffic you want to be encrypted.

Jon,

I created following extended ACL:

    10 permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

    11 permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101

    12 permit ip 10.0.0.0 0.0.1.255 192.168.220.0 0.0.0.255

    20 deny ip 192.168.220.0 0.0.0.255 any

    30 permit ip any any

All hosts from 192.168.220.0/24 network can reach hosts 0.100 and 0.101 . I was quite sure, that rule No. 12 will cause, that every hosts in 10.0.0.0/23 will be able to access every host in 192.168.220.0 . Unfortunatel, with above config, only hosts 0.100 and 0.101 can reach 192.168.220.0/24 network.

Is it possible to achive such configuration or should I live with this?

Piotr

Piotr

Can you specify exactly what you are trying to do in terms of access ie. what IPs do you want to allow to the remote network 192.168.220.0.24

Is there a reason you do not want to modify the crypto map acl ?

Is it beacause it would have to be changed at the other end as well.

I am trying to help but you are not making it clear what access you actually want between these IPs ?

Jon

Jon,

jon.marshall wrote:

Is there a reason you do not want to modify the crypto map acl ?

Is it beacause it would have to be changed at the other end as well.

I do not have cotrol over router in network 192.168.220.0/24 so I cannot use crypto map acl aproach (as far as I understood you in previous posts). 192.168.220.0/24 network is my clinet network.

jon.marshall wrote:

Can you specify exactly what you are trying to do in terms of access ie. what IPs do you want to allow to the remote network 192.168.220.0.24

I would like to limit access from 192.168.220.0/24 network to only several hosts in my LAN. In same time, because I do not care about the security in 192.168.220.0/24 network, I would like to give possibility for all hosts in my network (10.0.0.0/23) to access network 'after' the VPN (192.168.220.0/24).

Hope, that it explains everything

Piotr

Piotr

Ahhh, i understand now, thanks.

The problem you have is acls are not stateful so if you limit traffic from 192.168.200.x to only a few clients then that also means that the acl applies the other way as well.

So if you have an acl that blocks access to only a few of your 10.x.x.x clients from 192.168.220.x  then this acl also blocks the return traffic from any of your 10.x.x.x clients to 192.168.220.x.

However routers support reflexive acls which means you can only allow traffic back in if you have initaited the connection so you could -

1) allow 192.168.200.x to only initiate connections to certain 10.x.x.x clients

whilst at the same time

2) allow all your 10.x.x.x clients to initiate connection to 192.168.200.x clients

see this link for reflexive acls -

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html

Jon

Hi Jon,

It's the first time when I hear about reflexive ACL.

After reading documentation and 'how-to's' I created something like this:

ip access-list extended ACL-test-in

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100 reflect test-reflect

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101 reflect test-reflect

ip access-list extended ACL-test-out

evaluate test-reflect

int g0/0 # it's LAN interface on my router

ip access-group ACL-test-in in

ip access-group ACL-test-out out

Unfortunately it seems that I did it wrong, because any host in 192.168.220.0/24 network can reach any host in my 10.0.0.0/23 LAN.

What is more, when I do sh ip access-list ACL-test-in and ACL-test-out I do not see any entries.

I also applied same access-groups in WAN interface on which VPN is configured - without luck.

Any ideas?

Piotr

Can you try this -

ip access-list extend ACL-test-outbound

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.100

permit ip 192.168.220.0 0.0.0.255 host 10.0.0.101

evaluate test-reflect

ip access-list ACL-test-inbound

permit ip any any reflect test-reflect

int gi0/0

ip access-group ACL-test-inbound in

ip access-group ACL-test-outbound out

and then retest.

Jon

Awesome, works like a charm!

One more thing - ist it possible to apply this configuration on external interface rather on LAN one ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: