cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect
480
Views
0
Helpful
6
Replies
Beginner

Restrict site-to-site traffic

Hi everyone,

I have a quick question (I hope): what's the best way to restrict certain protocols to pass through a site-to-site tunnel ? Should I edit de ACL which is assigned to the crypto map or should I create a new ACL and assign it to the interface ?

Thanks in advance,

Ronald

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Restrict site-to-site traffic

Better to use some input acl to make the filter.

Change the crypto acl will make the restriction work, but it will possible change the ipsec sa info. Both with, it need to be change at both end of IPSec site.

config reference.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080

6 REPLIES 6
Rising star

Re: Restrict site-to-site traffic

Hi,

Is this on a router or a firewall?

If you are using a firewall you can use the vpn-filter command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Beginner

Re: Restrict site-to-site traffic

Hi Sean,

It is a 1803 ISR.

Regards,

Ronald

Advisor

Re: Restrict site-to-site traffic

Hi,

editing the ACL attached to crypto map will do the trick.

Regards.

Alain.

Don't forget to rate helpful posts.
Beginner

Re: Restrict site-to-site traffic

Hi Alain,

Thanks for the info. I'm gonna try that one.

Regards,

Ronald

Highlighted
Cisco Employee

Re: Restrict site-to-site traffic

Better to use some input acl to make the filter.

Change the crypto acl will make the restriction work, but it will possible change the ipsec sa info. Both with, it need to be change at both end of IPSec site.

config reference.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080

Beginner

Re: Restrict site-to-site traffic

Hi acui,

Changing the crypto acl did indeed result in a wrong sa. I changed it to an access-group as you referenced and it's working perfectly. Only traffic that needs to go through the tunnel is passed, the rest is discarded.

Thanks for your help !

Regards,

Ronald