Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3764
Views
15
Helpful
5
Replies

Problem with ACL on IPSEC tunnel

Go to solution
ciscolover
Level 1
Level 1

‎10-31-2017 04:02 AM - edited ‎03-12-2019 04:40 AM

Hi all,

 

I have an IPSEC tunnel created. I Would like to limit the encapsulated traffic.

 

If I open all the network 1.1.1.0/24 in the  ACL applyed  the connection to the 445 port of the server 1.1.1.2 works well. But if I open only this traffic it not works well, I can't connect to the 445 port.

You can view this in the attached diagram.

 

¿Maybe the ACL for IPSEC VPN only works with entire networks and it not works with more restrictive ACL?

Thans for your help.

Labels:
Preview file
22 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to ciscolover

‎10-31-2017 09:05 AM

Yes it is. During VPN tunnel establishment, both peers validate if they want to protect the same traffic. This means both networks and ports have to match. If you use VPN filters, you only need to make a change on your end to restrict network and port access.

View solution in original post

5 Replies 5

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-31-2017 08:56 AM

Changing the ACL applied to the crypto map requires you to make the change on both peers, so maybe its not working because it is not matching the other side's ACL. It is generally not preferred to add ports to the crypto ACL, you might run into vendors that do not support it completely. If you want to restrict on a network or port level, use VPN filters instead.

If you are using an ASA, an example on how to do this is here:

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Go to solution
ciscolover
Level 1
Level 1
In response to Rahul Govindan

‎10-31-2017 09:03 AM - edited ‎10-31-2017 09:05 AM

Thanks Raul,

 

The other peer is a FW and the rule is permit all traffic between both networks. Without port restrictions. I would like restrict ACL only in one of the extremes.

 

One side of the VPN  is a FW Fortinet and the other is an old cisco with advanced IP services firmware installed.

 

¿Is necessary the same ACL (changing source and destination) in both extremes of the tunnel? 

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to ciscolover

‎10-31-2017 09:05 AM

Yes it is. During VPN tunnel establishment, both peers validate if they want to protect the same traffic. This means both networks and ports have to match. If you use VPN filters, you only need to make a change on your end to restrict network and port access.

Go to solution
ciscolover
Level 1
Level 1
In response to Rahul Govindan

‎10-31-2017 09:10 AM

Thanks,

 

¿Can I use VPN filters on Cisco router or only on ASA?

 

I have another possible solution. I can apply another ACL to the inbound traffic interface differente of the ACL used in the VPN.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents