cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2880
Views
15
Helpful
5
Replies

Problem with ACL on IPSEC tunnel

ciscolover
Beginner
Beginner

Hi all,

 

I have an IPSEC tunnel created. I Would like to limit the encapsulated traffic.

 

If I open all the network 1.1.1.0/24 in the  ACL applyed  the connection to the 445 port of the server 1.1.1.2 works well. But if I open only this traffic it not works well, I can't connect to the 445 port.

You can view this in the attached diagram.

 

¿Maybe the ACL for IPSEC VPN only works with entire networks and it not works with more restrictive ACL?

Thans for your help.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Yes it is. During VPN tunnel establishment, both peers validate if they want to protect the same traffic. This means both networks and ports have to match. If you use VPN filters, you only need to make a change on your end to restrict network and port access.

View solution in original post

5 REPLIES 5

Rahul Govindan
Advocate
Advocate
Changing the ACL applied to the crypto map requires you to make the change on both peers, so maybe its not working because it is not matching the other side's ACL. It is generally not preferred to add ports to the crypto ACL, you might run into vendors that do not support it completely. If you want to restrict on a network or port level, use VPN filters instead.

If you are using an ASA, an example on how to do this is here:

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Thanks Raul,

 

The other peer is a FW and the rule is permit all traffic between both networks. Without port restrictions. I would like restrict ACL only in one of the extremes.

 

One side of the VPN  is a FW Fortinet and the other is an old cisco with advanced IP services firmware installed.

 

¿Is necessary the same ACL (changing source and destination) in both extremes of the tunnel? 

Yes it is. During VPN tunnel establishment, both peers validate if they want to protect the same traffic. This means both networks and ports have to match. If you use VPN filters, you only need to make a change on your end to restrict network and port access.

Thanks,

 

¿Can I use VPN filters on Cisco router or only on ASA?

 

I have another possible solution. I can apply another ACL to the inbound traffic interface differente of the ACL used in the VPN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: