cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1224
Views
0
Helpful
7
Replies

Extended access list

Hi , I have question over ipsec VPN access list to match traffic.I read that the access-list need to be in mirror condition to create Ipsec tunnel.I have point to multipoint scenario and I am using site to site VPN for every location.So my point is can I configure extended access. List on hub to match all sites traffic and call in transform set.

 

Eh 

I access list IPSEC

10 access list IPSEC host 10.88.01 host 192.168.0.1 (first site)

20 access list IPSEC host 10.88.0.1 host 192.168.0.2 (second site)

 

IP address in this access list are actually great tunnel end points.

 

So, if I call this is transform set will the respective site match itself to its own access list and encrypt the traffic.

 

Thanks in advance

7 Replies 7

I use IPSEC again in access list that's is mistake.

What exactly are you trying to achieve?  if it is just hub to hub communication, then DMVPN is a better solution than having site to site between all locations.

--
Please remember to select a correct answer and rate helpful posts

Hi , I need Spoke to spoke communication even if HUB fails that why I created site to site tunnels.

So my question was for site to site tunnels with hub , can I use extend access list inside one single Transform set to match traffic for multiple site . 

I am not entirely sure what you mean my inside a single transform-set.  You can setup dynamic crypto map so you don't need to configure a seperate cryptomap entry for each branch site.  The issue here is that it is the branch site that would need to initiate traffic.  That is to say, if the vpn tunnel is down because no interesting traffic is crossing it, the hub site would not be able to bring the tunnel up.  Only the branch will be able to bring up the tunnel

--
Please remember to select a correct answer and rate helpful posts

Hi , thank you for reply .

Actually I meant was in Dynamic map where we need to match access-list for traffic needed to encrypt.So, what i did I created one extended access list and created multiple entries in it matching multiple site and call it in one dynamic map. 

 

Will there be any issue in that ? Or should I create one dynamic map per location and match single access-list in that.

 

I hope I explain properly now

What device do you have as your Hub (vpn head-end)?

--
Please remember to select a correct answer and rate helpful posts

Hi , I have cisco 4331 as hub but Digi WR 44 on spoke sites.

 

Thanks