Is this a proper VPN ACL?

Lucas Phelps · ‎08-11-2011

Basically I have 2 branch offices that i want to be able to communicate back and forth via an IPSEC tunnel.

Each branch has two networks: Data (172.16.X.0) and Voice (192.168.X.0). I need both data networks to be able to communicate and also voice and data networks to communicate as well between sites..so if a user were to ping an IP phone via their computer (data to voice and back).

Router 1

access-list 130 permit ip 172.16.25.0 0.0.0.255 172.16.23.0 0.0.0.255

access-list 130 permit ip 192.168.25.0 0.0.0.255 172.16.23.0 0.0.0.255

access-list 130 permit ip 172.16.23.0 0.0.0.255 192.168.25.0 0.0.0.255

access-list 130 permit ip 192.168.25.0 0.0.0.255 192.168.23.0 0.0.0.255

Router 2

access-list 130 permit ip 172.16.23.0 0.0.0.255 172.16.25.0 0.0.0.255

access-list 130 permit ip 172.16.23.0 0.0.0.255 192.168.25.0 0.0.0.255

access-list 130 permit ip 192.168.25.0 0.0.0.255 172.16.23.0 0.0.0.255

access-list 130 permit ip 192.168.23.0 0.0.0.255 192.168.25.0 0.0.0.255

Is this right?? Thanks all!

Ricardo Prado Rueda · ‎08-12-2011

Hi Lucas,

Your access-lists are correct for a LAN to LAN tunnel, basically you need to include all the traffic flows you want to encrypt on one device and then mirror the access-list on the other end just like you did.

Regards,

Rick.

Sent from Cisco Technical Support iPad App