cisco access list - help

akapatos · ‎05-15-2017

hello everybody!!

i am new to networking so my question is a bit naive i think...anyway :) there is a router in my company that is connected with vpn to another distant ciscio router. i dont understand how these access list work...

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
no ip http secure-server
!
ip dns server
ip nat inside source route-map TRAFFICOUT interface Dialer0 overload
ip nat inside source static tcp 192.168.5.1 23 79.129.15.30 2300 extendable
ip nat inside source static tcp 192.168.100.2 6000 79.129.15.30 6000 extendable
ip nat inside source static udp 192.168.100.2 6000 79.129.15.30 6000 extendable
!
access-list 110 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 deny ip 192.168.15.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 deny ip 192.168.15.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 110 permit ip 192.168.15.0 0.0.0.255 any
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
access-list 140 remark - VPN TRAFFIC TO A
access-list 140 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 140 permit ip 192.168.15.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 140 permit ip 192.168.20.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 150 remark - VPN TRAFFIC TO AE
access-list 150 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 150 permit ip 192.168.15.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 150 permit ip 192.168.20.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.7.0 0.0.0.255
dialer-list 1 protocol ip permit

the 192.168.5.0, 192.168.10.0 192.168.15.0 192.168.100.0 are vlans in my network and the 192.168.7.0 is the lan in the distant router...THE 192.168.6.0 is another vpn but it's not what's bothering me now..

can you give me some help?

thanks in advance

JP Miranda Z · ‎05-15-2017

Hi akapatos,

ACL 110 works as nat exemption, so by using this type of nat you can send the traffic through the tunnel without natting it to your public ip, that is why you have that ACL applied to the route map used for the following nat:

ip nat inside source route-map TRAFFICOUT interface Dialer0 overload

This nat is giving you internet access and also making sure your VPN traffic can go through the VPN tunnel.

The other 2 ACL's (140-150) are the encryption domains or interesting traffic, and that is the traffic that you are allowing to go through the VPN tunnel.

This link explains the Site to Site configuration on Routers really well:

http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/113337-ccp-vpn-routerA-routerB-config-00.html

Hope this info helps!!

Rate if helps you!

-JP-