Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
0
Replies

Apply ACL to VPN Tunnel

reginaldjohnson
Level 1
Level 1

‎08-16-2020 03:59 PM - edited ‎08-16-2020 04:26 PM

I am stuck on an internet border router issue. Recently, installed a cisco 1920 router with IOS version 15.0 for new mobile in the field project. I have Cox as my ISP and Verizon (VPN) as service provided for my mobile devices in the field. I have a server on-premise that will be collecting the data sent from the mobile devices to the server sitting behind the inside interface on the internet border router. It took about a week for me to realize the mobile devices in the field could not send data to the internal server because the VPN ACL, had to be modified to permit the private IP addresses of the mobile devices over the VPN tunnel.
My mobile devices can send data to the on-premise server and access the internet.
When I attempt to apply an ACL on the outside interface on my router the mobile devices on the VPN communication is dropped. Cisco best practices suggest applying an ACL to the outside internet on the border router. How can I apply an ACL(in) to the outside interface of my border router without stopping communication from dropping on the VPN tunnel?

 

interface Tunnel1
description GRE Tunnel to Verizon Wireless
ip address 192.168.100.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
tunnel source 198.200.200.1
tunnel destination 208.155.100.108

interface GigabitEthernet0/0
description outside link to VZW VPN
ip address 198.200.200.1 255.255.255.240
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
crypto map VZW_VPNTUNNEL
!
interface GigabitEthernet0/1
ip address 192.168.18.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
router bgp 85505
bgp log-neighbor-changes
neighbor 192.168.100.1 remote-as 8167
neighbor 192.168.100.1 default-originate
neighbor 192.168.100.5 remote-as 8167
neighbor 192.168.100.5 default-originate route-map prepend
!
ip default-gateway 198.200.200.2
ip forward-protocol nd
!
ip nat inside source list 25 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 198.200.200.2
ip route 192.168.18.0 255.255.255.0 GigabitEthernet0/1


ip access-list extended VZW_VPN
permit gre host 198.200.200.1 host 208.155.100.108
permit icmp host 198.200.200.1 host 208.155.100.108
permit udp host 198.200.200.1 host 208.155.100.108 eq isakmp
permit esp host 198.200.200.1 host 208.155.100.108
deny icmp any any log
permit icmp 172.16.12.0 0.0.0.255 host 192.168.18.12
permit tcp 172.16.16.0 0.0.0.255 eq www host 192.168.18.12
permit tcp 172.16.16.0 0.0.0.255 eq 6080 host 192.168.18.12
permit tcp 172.16.16.0 0.0.0.255 eq 443 host 198.200.200.1

permit icmp 172.16.16.0 0.0.0.255 host 192.168.18.12
deny ip any any
!
access-list 25 permit 172.16.16.0 0.0.0.255
access-list 25 permit 172.16.12.0 0.0.0.255 log

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents