04-08-2022 11:16 AM - edited 04-08-2022 11:17 AM
Dear Community,ACL, VPN
i did some research on google but couldnt find an answer. I establish a normal IPSEC site- to site VPN on a Cisco Router. everything is working fine. But I only want port tcp/3389 allowed through the vpn. How can I realize this, where do I have to put an ACL? Thank you
04-08-2022 11:32 AM
@ZeroC on the router you can put the ACL on the LAN interface, permit tcp/3389 to the remote VPN host, deny all other traffic to the remote VPN network, then permit all other traffic (to allow access to the internet etc).
04-08-2022 11:36 AM
thank you do i need to put this as a inboud acl on vlan1? acl: permit lan 3389 -> vpn lan ; deny any vpn lan ; permit ip any any
04-08-2022 11:39 AM
@ZeroC yes inbound on whatever is your internal VLAN, but it would be destination tcp/3389, source would usually be random tcp port.
Something like this:
ip access-list extended VPN-ACL
permit tcp LAN MASK VPN MASK eq 3389
deny ip LAN MASK VPN MASK
permit ip any any
04-08-2022 11:44 AM
No need acl under svi,
Use
Crypto map name
Set access-group name in/out
This way filter traffic through vpn.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide