Solved: easy VPN - acl

Hubert Wisniewski · ‎12-03-2012

Hi,

there is one parameter 'acl' which is unclear for me, it's configured on client site:

crypto ipsec client ezvpn VPN

connect auto

group EASYVPN key cisco

mode client

peer 10.0.0.1

username cisco password cisco

xauth userid mode local

acl 101

Whatever I add to the acl 101 the tunnel is still working. I found one description:

Step 6

acl {acl-name | acl-number}

Example:

Device (config-crypto-ezvpn)# acl acl-list1

Specifies multiple subnets in a VPN tunnel.

'Specifies multiple subnets in a VPN tunnel.' - what does it mean, source ?

I tried use this parameter and I added access list:

access-list 123 permit ip 10.10.10.0 0.0.0.255 host 20.0.0.20

access-list 123 permit ip 50.50.50.0 0.0.0.255 host 20.0.0.20

where 10.10.10.0 and 50.50.50.0 are source and 20.0.0.20 is destination.

When I pinged with source 10.10.10.3 (physical int) to 20.0.0.20 - numbers of encr&decr packets grows.

but when I pinged with source 50.50.50.50 (loop int) to 20.0.0.20 - I see it wasn't push into tunnel.

Could someone explain how the parameter work and what for is it ?

Thank you

Hubert

Marcin Latosiewicz · ‎12-04-2012

Hubert,

Ref:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/15-2mt/sec-easy-vpn-rem.html

in client mode multiple subnets are not supported, nor do they make sense.

You are specifying what internal subnets to advertise to server as the ones which are configured behind this device.

In client mode the server sees only the IP address assigned.

M.

View solution in original post

Marcin Latosiewicz · ‎12-04-2012

Hubert,

Ref:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/15-2mt/sec-easy-vpn-rem.html

in client mode multiple subnets are not supported, nor do they make sense.

You are specifying what internal subnets to advertise to server as the ones which are configured behind this device.

In client mode the server sees only the IP address assigned.

M.

Hubert Wisniewski · ‎12-04-2012

Hi Marcin,

I changed client mode to 'network-extension' and without any acl - it works.

20.0.0.0/24[LAN]---[VPN SERVER]--------[INTERNET]--------[VPN CLIENT]---[LAN] 10.10.10.0/24

traffics between lan networks is encrypted.

When I added new subnet behind client side:

20.0.0.0/24[LAN]---[VPN SERVER]-----------[INTERNET]-----------[VPN CLIENT]---[LAN] 10.10.10.0/24, 50.50.50.0/24

and 'acl parameter' to client configuration:

crypto ipsec client ezvpn VPN

acl 23

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 23 permit 50.50.50.0 0.0.0.255

traffic between 10.10.10.0/24 and 20.0.0.0/24 is secured but between 50.50.50.0/24 and 20.0.0.0/24 not.

Any idea why ?

Hubert

Hubert Wisniewski · ‎12-12-2012

Hi,

the problem is resolved now, client in 'network-ext' mode with 'acl' parameter works with external network behind the client (50.50.50.0/24):

crypto ipsec client ezvpn VPN

connect auto

group EASYVPN key cisco

mode network-ext

peer 10.0.0.1

username cisco password cisco

xauth userid mode local

acl 101

access-list 101 permit ip 10.20.20.0 0.0.0.255 20.0.0.0 0.0.0.255

access-list 101 permit ip 50.50.50.0 0.0.0.255 20.0.0.0 0.0.0.255

Thanks.