cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
701
Views
0
Helpful
4
Replies

Cisco Router Site- to Site IPSEC VPN AccessLists

ZeroC
Level 1
Level 1

Dear Community,ACL, VPN

 

i did some research on google but couldnt find an answer. I establish a normal IPSEC site- to site VPN on a Cisco Router. everything is working fine. But I only want port tcp/3389 allowed through the vpn. How can I realize this, where do I have to put an ACL? Thank you 

4 Replies 4

@ZeroC on the router you can put the ACL on the LAN interface, permit tcp/3389 to the remote VPN host, deny all other traffic to the remote VPN network, then permit all other traffic (to allow access to the internet etc).

thank you do i need to put this as a inboud acl on vlan1? acl: permit lan 3389 -> vpn lan ; deny any vpn lan ; permit ip any any 

@ZeroC yes inbound on whatever is your internal VLAN, but it would be destination tcp/3389, source would usually be random tcp port.

 

Something like this:

 

ip access-list extended VPN-ACL

 permit tcp LAN MASK VPN MASK eq 3389

 deny ip LAN MASK VPN MASK

 permit ip any any

No need acl under svi,

Use 

Crypto map name 

Set access-group name in/out 

 

This way filter traffic through vpn.