Re: Access list for VPN router

djbradley · ‎04-09-2003

I am in the process of deploying a new 3745 VPN router for Lan-to-Lan connectivity. As usual with no training at all. My biggest concern is locking down the outside interface so only VPN traffic is allowed and only from the specified addresses.

Can someone supply me with a quick and dirty access list that will only allow only VPN traffic to the inside hosts and also allow vendors to ping the outside interface for testing. Any and all replies are greatly appreciated

afakhan · ‎04-09-2003

Hi,

it can be sth like:ipsec = ESP

access-list 100 permit icmp any host w.x.y.z echo

access-list 100 permit icmp any host w.x.y.z echo-reply

access-list 100 permit esp host host w.x.y.z

access-list 100 permit udp host host w.x.y.z eq 500

>>>then open up your inside LAN IPs for IPSec decrypted packet allowance

w.x.y.z = 3745 outside IP

Thx

Afaq

djbradley · ‎04-10-2003

Afag,

1000 Thanks,

Dan

djbradley · ‎04-15-2003

I applied the access list provided but found a problem. It seems a Cisco router will send the traffic through the access list twice. Once for the encrypted traffic, then again for the decrypted traffic. I found this because after I applied the access list above, I could no longer ping across the tunnel. I added a "Deny any any log" statement on the access list and saw that the ICMP traffic from the host on the other side was being denied, but with it's real address. I opened a TAC case and they told me told me that this was normal behavior. So I added the decrypted traffic to the access list and all is well.