Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
3
Replies

ACL VPN question

Go to solution
brianj
Level 1
Level 1

‎12-30-2004 08:17 AM

I have two questions concerning ACL's used in the Crypto map statements:

1. Do both VPN devices have to have the same ACE's within the ACL? I know that without the second ACE site B below will not see udp traffic as interesting but will the vpn tunnel fail because the ACL's don't have the same ACE's?

ie..

Site A

Access-list 110 permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

Access-list 110 permit udp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

Site B

Access-list 110 permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

2. Once a tunnel is established will it send ANY/ALL traffic destined to the remote network across that tunnel. If the first ACE in the 110 ACL for Site A is used to bring up the tunnel, will only tcp traffic sourced from 10.0.1.0/24 destined for 10.0.2.0/24 use the tunnel or will any traffic sourced from 10.0.1.0/24 destined for the remote network cross the tunnel?

I guess my thought is this. Is the ACL used only to determine interesting traffic and once the tunnel is up it is a free for all. Or does the ACL only allow traffic that meets the criteria specified in the ACL to flow after the tunnel is established?

Thanks,

Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7

‎12-30-2004 09:08 AM

Brian,

Your statement

"Or does the ACL only allow traffic that meets the criteria specified in the ACL to flow after the tunnel is established"

Is correct, Only traffic that meets the crypto ACL will pass through the vpn tunnel and any other traffic will be denied. If you need UDP traffic to traverse via the tunnel you'll need crypto ACLs on both side and not just on one side, i.e. SITE A.

Hope this helps,

Jay

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jmia
Level 7
Level 7

‎12-30-2004 09:08 AM

Brian,

Your statement

"Or does the ACL only allow traffic that meets the criteria specified in the ACL to flow after the tunnel is established"

Is correct, Only traffic that meets the crypto ACL will pass through the vpn tunnel and any other traffic will be denied. If you need UDP traffic to traverse via the tunnel you'll need crypto ACLs on both side and not just on one side, i.e. SITE A.

Hope this helps,

Jay

0 Helpful

Go to solution
brianj
Level 1
Level 1
In response to jmia

‎12-30-2004 09:29 AM

Jay,

Thanks for the response and help.

Brian

0 Helpful

Go to solution
cscott
Level 1
Level 1
In response to brianj

‎01-03-2005 11:51 AM

Brian,

To follow up your second question.

In regards to tcp traffic being what initiates the tunnel from site A to site B, TCP traffic will not be the only thing allowed over that particular tunnel. Since you have also allowed UDP traffic via the same crypto ACL, it will also be allowed over the tunnel. However, my understanding is that a separate security association (SA) will be created for each entry matched in the crypto ACL. So if you have a very long crypto ACL, you might want to avoid the multiple SA's and create a 'permit any' statement then filter out what you dont want across the tunnel with an ACL applied to the internal interface.

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents