access-list Command

otnj2ee · ‎11-03-2005

If the system architecture is like this: Pix (501) and PCs attached to it. The PCs on the same subnet of 192.168.1.0 255.255.255.0. And a remote PC is to be assign a subnet of 10.10.10.0 255.255.255.0, once it is connected to the Pix via VPN.

For a simplized access-list command, it will be like this:

access-list ID permit ip {source_addr source_mask } {destination_addr} {destination_mask }

1)What should be the source address?

2)What should be the destination address?

Or I mean how should we define the source and destination? {Which direction should I look at :) }

Thanks to help.

Scott

thisisshanky · ‎11-03-2005

Is this a site to site vpn or between pix 501 and the remote VPN device (Cisco or non Cisco) or are the clients in 10.10.10.0 using Cisco vpn client software ?

If its site to site, your acl on pix should have source of 192.168.1.0 and destination of 10.10.10.0

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

otnj2ee · ‎11-03-2005

Thanks for the response. This is a remote PC(Cisco VPN Client) to the PIX 501 case. The Pix inside and the computers connected to the Pix are in the subnet of 192.168.1.0 255.255.255.0; While the remote PC will be assigned 10.10.10.0 255.255.255.0, once it successfully opened the VPN channel.

But I am confused which should be the source and which should be the destination?

Thanks again.

Scott

jackko · ‎11-03-2005

in terms of configuring remote vpn access, there are 3 acl:

1. no nat

access-list no_nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

2. split tunneling

access-list split_tunnel permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

3. inbound acl

access-list inbound permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

please note that #3, the inbound acl, is not required if the command "sysopt connection permit-ipsec" is enabled.

otnj2ee · ‎11-04-2005

Thanks for the response. But why is the source and the destination addresses for #2 and #3 just reversed? i.e.,

#2 access-list split_tunnel permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

source = 192.168.1.0 255.255.255.0

destination = 10.10.10.0 255.255.255.0

#3 access-list inbound permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

source = 10.10.10.0 255.255.255.0

destination = 192.168.1.0 255.255.255.0

I believe that the command for the access-list should be {Source Address} first and then followed by {Destination Address}. But those for #2 and #3 in the response are just reversed.

Thanks to help.

Scott

jackko · ‎11-04-2005

#2 is for split tunnel.

when the remote vpn user initiates the vpn, the pix will push the settings, including an ip address, internal dns, and the split tunnel. so with this acl, the remote vpn client software will be able to determine what traffic to be encrypted/sent via the vpn. with your case, the vpn client software will only encrypts/sends traffic destined for 192.168.1.0.

#3 is for inbound traffic.

again, this is not required unless the command "sysopt connection permit-ipsec" is disabled. when the pix receives the packet, it decrypts the packet, examines the packet against the inbound acl and then determines the next hop. with your case, the remote vpn client sends packet detined for 192.168.1.0. pix receives the packet, decrypts the packet. pix examines the packet knowing that the source is 10.10.10.0 destined for 192.168.1.0, which is permitted with inbound acl. pix then forwards the packets according to the routing table.