06-27-2013 07:22 AM
I have a Cisco 860 which has an IPSec tunnel to a DLINK router at a remote location.
Subnet A (Cisco) is 192.168.99.0/24
Subnet B (DLINK) is 192.168.1.0/24
The tunnel is stable and functions fine.
What I am trying to acheive is to restrict IP traffic from from both subnets. I have tried the access-list 104 and also access-list 105 (though obviously I didn't think 105 would affect anything as this simply defines what is classed as VPN traffic).
Below is my Cisco config but what is best practice / method to restric VPN IP traffic? (both ways).
Thank you in advance
---------------------------
---------------------------
Building configuration...
Current configuration : 13326 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco860
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-121479842
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-121479842
revocation-check none
rsakeypair TP-self-signed-121479842
!
!
**Certificate data removed**
quit
ip source-route
ip port-map user-protocol--1 port tcp 3389
ip port-map user-protocol-M24C6 port tcp 8006
ip port-map user-protocol-M24C5 port tcp 8005
ip port-map user-protocol-M24C4 port tcp 8004
ip port-map user-protocol-M24C3 port tcp 8003
ip port-map user-protocol-M24C2 port tcp 8002
ip port-map user-protocol-M24C1 port tcp 8001
ip port-map user-protocol--EDI port tcp 9080
!
!
ip cef
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
no ip domain lookup
ip domain name addomain.local
!
!
!
!
username administrator privilege 15 secret 5 secret
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 1234567890 address 213.1.1.223
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to213.1.1.223
set peer 213.1.1.223
set transform-set ESP-3DES-SHA
match address 105
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 66.55.33.75 255.255.255.248 secondary
ip address 66.55.33.76 255.255.255.248 secondary
ip address 66.55.33.74 255.255.255.248
ip access-group 104 in
ip verify unicast reverse-path
ip inspect CCP_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.99.249 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.55.33.73
ip route 192.168.0.0 255.255.255.0 192.168.99.248
ip route 192.168.2.0 255.255.255.0 192.168.99.248
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.99.250 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.99.252 9080 interface FastEthernet4 9080
ip nat inside source static tcp 192.168.99.250 3389 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.99.250 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.99.192 3389 interface FastEthernet4 3391
ip nat inside source static tcp 192.168.99.231 8001 interface FastEthernet4 8001
ip nat inside source static tcp 192.168.99.232 8002 interface FastEthernet4 8002
ip nat inside source static tcp 192.168.99.233 8003 interface FastEthernet4 8003
ip nat inside source static tcp 192.168.99.234 8004 interface FastEthernet4 8004
ip nat inside source static tcp 192.168.99.230 8100 interface FastEthernet4 8100
ip nat inside source static tcp 192.168.99.235 8005 interface FastEthernet4 8005
ip nat inside source static tcp 192.168.99.236 8006 interface FastEthernet4 8006
ip nat inside source static tcp 192.168.99.13 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.99.252 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.99.75 3389 interface FastEthernet4 3392
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.103 25 66.55.33.75 25 extendable
ip nat inside source static tcp 192.168.0.103 443 66.55.33.75 443 extendable
ip nat inside source static tcp 192.168.0.105 3389 66.55.33.75 3389 extendable
ip nat inside source static tcp 192.168.0.100 3389 66.55.33.75 3390 extendable
ip nat inside source static tcp 192.168.0.106 3389 66.55.33.75 3391 extendable
ip nat inside source static tcp 192.168.2.2 3389 66.55.33.76 3389 extendable
!
ip access-list extended Cameras
remark CCP_ACL Category=128
permit ip any host 192.168.99.231
permit ip any host 192.168.99.232
permit ip any host 192.168.99.233
permit ip any host 192.168.99.234
permit ip any host 192.168.99.235
permit ip any host 192.168.99.236
ip access-list extended EDITraffic
remark CCP_ACL Category=128
permit ip any host 192.168.99.252
ip access-list extended HTTPSTraffic
remark CCP_ACL Category=128
permit ip any host 192.168.99.250
permit ip any host 192.168.0.103
ip access-list extended MailProtector
remark CCP_ACL Category=128
permit ip 195.90.96.0 0.0.1.255 host 192.168.99.250
permit ip 195.90.96.0 0.0.1.255 host 192.168.0.103
permit ip host 217.45.118.145 host 192.168.99.250
permit ip host 217.45.118.145 host 192.168.0.103
ip access-list extended PPTPTraffic
remark CCP_ACL Category=128
permit ip any host 192.168.99.252
ip access-list extended SMTP
remark CCP_ACL Category=128
permit ip host 217.123.118.123 host 192.168.99.2
!
access-list 23 remark CCP_ACL Category=16
access-list 23 permit 217.123.118.123
access-list 23 permit 192.168.99.0 0.0.0.255
access-list 23 permit any
access-list 100 remark CCP_ACL Category=16
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 remark Elland
access-list 100 permit ip 192.168.99.0 0.0.0.255 any
access-list 100 remark Dudley
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark Harrogate
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.99.13
access-list 102 permit ip any host 192.168.99.250
access-list 102 permit ip any host 192.168.99.192
access-list 102 permit ip any host 192.168.2.2
access-list 102 permit ip any host 192.168.0.105
access-list 102 permit ip any host 192.168.0.100
access-list 102 permit ip any host 192.168.0.106
access-list 102 permit ip any host 192.168.99.75
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq telnet
access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq 22
access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq www
access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq 443
access-list 103 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.249 eq cmd
access-list 103 deny tcp any host 192.168.99.249 eq telnet
access-list 103 deny tcp any host 192.168.99.249 eq 22
access-list 103 deny tcp any host 192.168.99.249 eq www
access-list 103 deny tcp any host 192.168.99.249 eq 443
access-list 103 deny tcp any host 192.168.99.249 eq cmd
access-list 103 deny udp any host 192.168.99.249 eq snmp
access-list 103 deny ip 66.55.33.72 0.0.0.7 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp host 217.45.118.145 host 66.55.33.74 eq telnet
access-list 104 permit tcp host 217.45.118.145 host 66.55.33.74 eq 22
access-list 104 permit tcp host 217.45.118.145 host 66.55.33.74 eq www
access-list 104 permit tcp host 217.45.118.145 host 66.55.33.74 eq cmd
access-list 104 deny tcp any host 66.55.33.74 eq telnet
access-list 104 deny tcp any host 66.55.33.74 eq www
access-list 104 deny tcp any host 66.55.33.74 eq 443
access-list 104 deny tcp any host 66.55.33.74 eq cmd
access-list 104 deny udp any host 66.55.33.74 eq snmp
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 104 permit udp host 213.123.207.223 host 66.55.33.74 eq non500-isakmp
access-list 104 permit udp host 213.123.207.223 host 66.55.33.74 eq isakmp
access-list 104 permit esp host 213.123.207.223 host 66.55.33.74
access-list 104 permit ahp host 213.123.207.223 host 66.55.33.74
access-list 104 permit tcp any host 66.55.33.76 eq 3389
access-list 104 permit tcp any host 66.55.33.75 eq 3391
access-list 104 permit tcp any host 66.55.33.75 eq 3390
access-list 104 permit tcp any host 66.55.33.75 eq 3389
access-list 104 permit tcp any host 66.55.33.75 eq 443
access-list 104 remark MailDefender - ZUB
access-list 104 permit tcp 195.90.96.0 0.0.1.255 host 66.55.33.75 eq smtp
access-list 104 permit tcp any host 66.55.33.74 eq 3392
access-list 104 permit tcp any host 66.55.33.74 eq 1723
access-list 104 permit tcp any host 66.55.33.74 eq 3389
access-list 104 permit tcp any host 66.55.33.74 eq 8006
access-list 104 permit tcp any host 66.55.33.74 eq 8005
access-list 104 permit tcp any host 66.55.33.74 eq 8100
access-list 104 permit tcp any host 66.55.33.74 eq 8004
access-list 104 permit tcp any host 66.55.33.74 eq 8003
access-list 104 permit tcp any host 66.55.33.74 eq 8002
access-list 104 permit tcp any host 66.55.33.74 eq 8001
access-list 104 permit tcp any host 66.55.33.74 eq 3391
access-list 104 permit tcp any host 66.55.33.74 eq 443
access-list 104 permit tcp any host 66.55.33.74 eq 3390
access-list 104 permit tcp any host 66.55.33.74 eq 9080
access-list 104 permit gre any any
access-list 104 remark MailProtector
access-list 104 permit tcp 195.90.96.0 0.0.1.255 host 66.55.33.74 eq smtp
access-list 104 deny ip 192.168.99.0 0.0.0.255 any
access-list 104 permit icmp any host 66.55.33.74 echo-reply
access-list 104 permit icmp any host 66.55.33.74 time-exceeded
access-list 104 permit icmp any host 66.55.33.74 unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 remark CCP_ACL Category=1
access-list 106 permit ip host 217.45.118.145 any
access-list 106 permit ip 192.168.99.0 0.0.0.255 any
access-list 106 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 106 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Solved! Go to Solution.
07-01-2013 01:48 AM
Hi Chris,
After 12.3(X) version of the IOS router does not check for the traffic that is coming out the VPN tunnel by the means of interface ACL. It did prior that version. Nowdays, we do that by writting separate ACL for each tunnel we want to filter traffic for. Pretty much like the ASAs vpn-filter with some differences.
In IOS it’s pretty easy and logical. We look at the VPN tunnel as ordinary interface. We create one ACL for controlling the traffic going out through the tunnel and one ACL for the traffic coming from the tunnel. So we have “in” and “out” ways on the “interface”. The only difference is that there is no “interface”! We apply these ACLs under appropriate crypto map.
For Example
Lets say
- allow telnet traffic from 192.168.99.0 /24 to 192.168.1.0/24
- allow web traffic from 192.168.1.0 /24 to 192.168.99.0 /24
-drop all the rest
You need to create 2 ACLs one for IN direction Traffic and the other for OUT traffic
ip access-list extended VPNFILTER99-1
permit tcp 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 eq telnet
permit tcp 192.168.99.0 0.0.0.255 eq www 192.168.1.0 0.0.0.255
deny ip any any log
ip access-list extended VPNFILTER1-99
permit tcp 192.168.1.0 0.0.0.255 eq telnet 192.168.99.0 0.0.0.255
permit tcp 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255 eq www
deny ip any any log
Now apply these ACLs under appropriate crypto map
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to213.1.1.223
set peer 213.1.1.223
set ip access-group VPNFILTER1-99 in
set ip access-group VPNFILTER99-1 out
set transform-set ESP-3DES-SHA
match address 105
This is how we can filter the traffic on the IOS Routres
HTH
Regards
Raj Kumar
Please rate all helpful posts
07-01-2013 01:48 AM
Hi Chris,
After 12.3(X) version of the IOS router does not check for the traffic that is coming out the VPN tunnel by the means of interface ACL. It did prior that version. Nowdays, we do that by writting separate ACL for each tunnel we want to filter traffic for. Pretty much like the ASAs vpn-filter with some differences.
In IOS it’s pretty easy and logical. We look at the VPN tunnel as ordinary interface. We create one ACL for controlling the traffic going out through the tunnel and one ACL for the traffic coming from the tunnel. So we have “in” and “out” ways on the “interface”. The only difference is that there is no “interface”! We apply these ACLs under appropriate crypto map.
For Example
Lets say
- allow telnet traffic from 192.168.99.0 /24 to 192.168.1.0/24
- allow web traffic from 192.168.1.0 /24 to 192.168.99.0 /24
-drop all the rest
You need to create 2 ACLs one for IN direction Traffic and the other for OUT traffic
ip access-list extended VPNFILTER99-1
permit tcp 192.168.99.0 0.0.0.255 192.168.1.0 0.0.0.255 eq telnet
permit tcp 192.168.99.0 0.0.0.255 eq www 192.168.1.0 0.0.0.255
deny ip any any log
ip access-list extended VPNFILTER1-99
permit tcp 192.168.1.0 0.0.0.255 eq telnet 192.168.99.0 0.0.0.255
permit tcp 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255 eq www
deny ip any any log
Now apply these ACLs under appropriate crypto map
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to213.1.1.223
set peer 213.1.1.223
set ip access-group VPNFILTER1-99 in
set ip access-group VPNFILTER99-1 out
set transform-set ESP-3DES-SHA
match address 105
This is how we can filter the traffic on the IOS Routres
HTH
Regards
Raj Kumar
Please rate all helpful posts
07-01-2013 03:29 AM
Thank you Raj - worked a treat.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide