Showing results for 
Search instead for 
Did you mean: 

ACL-block all but hosts ip

Level 1
Level 1

If I have a vpn site to site tunnel with only one host on each end, how do I block everything except those two hosts talking together and still use the vpn tunnel so that the data is encrypted?

5 Replies 5

Level 4
Level 4


You will define your "interesting" traffic that can bring up the tunnel as an ACL

access-list 101 permit ip host host

and the inverse at the other side.

Do I have to explicitly deny every port that is not used or can't be used such as 23, 80 (it doesnt connect to the internet but connects on a leased line) and all other well known ports?

The ACL defines what is encrypted  - so when your traffic hits the crypto map it checks the source and destination and compares it to the ACL. If it matches then it encrypts it and sends it down the tunnel. If you don't specify any specific ports in the ACL (as we haven't above) then any IP packets between those two hosts will be encrypted.

Ok, but if I use an ACL not in the crypto map just to block ports from being used at all, is there a way to do that without naming every port that must be blocked?  For example, I have an access list like the one above used for the tunnel, but then I have another one that I blocked telnet on. In that list is there a way to block all ports not used or do I need to have a command for each port I want blocked(such as POP3, HTTP, FTP, etc). Thanks for your help.

There are two ways of looking at this - just allow specific traffic i.e:

access-list 101 permit tcp host host eq telnet

Everything else is blocked because of the implicit deny at the end of the ACL.


Block specific traffic and allow everything else:

access-list 101 deny tcp host host eq telnet

access-list 101 permit ip host host

Review Cisco Networking for a $25 gift card