Solved: IOS L2L VPN Question

moahmed1981 · ‎03-18-2016

Hi

i created a vpn between two routers in two different sites. The VPN is working fine but i noted something that i can ping from peer1 to peer2 though the tunnel although the ACL of the interesting traffic doesn't permit icmp between two peers, it is configured as following:

access-list 120 permit ip 10.10.10.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 120 permit ip host 1.1.1.1 host 2.2.2.2

no icmp is permitted but icmp traffic is encapsulated, encrypted and passed through the tunnel , why ???

Dinesh Moudgil · ‎03-18-2016

Hello moahmed1981,

When you configure access-list for IPs , then it includes ICMP , TCP and UDP as well , thus it is expected that you will be able to ping across the tunnel.

If you want to change this, please configure the VPN filter to prevent pings across vpn tunnel.
Here is a doc for your reference:-
https://popravak.wordpress.com/2011/11/07/cisco-ios-vpn-filter/

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎03-18-2016

Hello moahmed1981,

When you configure access-list for IPs , then it includes ICMP , TCP and UDP as well , thus it is expected that you will be able to ping across the tunnel.

If you want to change this, please configure the VPN filter to prevent pings across vpn tunnel.
Here is a doc for your reference:-
https://popravak.wordpress.com/2011/11/07/cisco-ios-vpn-filter/

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

moahmed1981 · ‎03-18-2016

thanks Dinesh for your reply

Dinesh Moudgil · ‎03-18-2016

Glat to assist you,moahmed1981

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/