06-07-2006 05:36 AM - edited 02-21-2020 02:27 PM
Configuring site-to-site VPN on 2821. Remote endpoint is 7206. On 2821, have 2 active interfaces, serial facing the ISP and Ethernet facing LAN. Tunnel endpoint on 2821 is terminating on LAN facing Ethernet interface. Question is this, do I need to create inbound ACL's on 2821 serial interface permiting those networks transiting the tunnel into the 2821 or can I just permit the remote endpoint's IP address? Thanks in advance.
06-09-2006 10:52 AM
Hi,
What you need is to define ACL (for interesting traffic) that will trigger the VPN tunnel.
Specify your LAN IP/subnet/network in the ACL and permit it to access/reach remote LAN/network on the peer VPN router.
Other than that, you only need to ensure your router, via its serial interface, is able to reach remote router serial. Check the routing as well.
Unless if you have ACL on you serial, than you need to add remote router's serial to come in.
Rgds,
AK
06-09-2006 10:56 AM
Check the sample configuration from the following urls:
Rgds,
AK
06-11-2006 01:26 PM
AK
You have given a good explanation about the function of ACL in controlling IPSec VPN and identifying traffic to be protected by the VPN. But as I read the original post I am not sure that is what was being asked about. I believe that the original question wants to know that if an access list is being configured inbound on the serial interface what does it need to permit for the VPN to work. In particular I think it wants to know whether the source and destination networks (LANs) need to be permitted or just the peer address. If that is the correct understanding then the answer is just the IPSec peer addresses need to be specified in the inbound ACL.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide