I have an odd situation where I need to config site to site VPN with a very "tight" VPN ACL that allows access to a specific port and host at each end. I need to tunnel TCP traffic from site A encryption domain address 188.8.131.52 to site B address 184.108.40.206 port 2222. I also need to permit the site B host 220.127.116.11 to tunnel TCP to 18.104.22.168 on port 1111. I didn't think setting the tight ACL would be a big deal and I've done lots of site to site VPNs before. But I've always used very general crypto ACLs permitting IP to blocks of addresses. I can get half of the communication going, but not the other half. I believe my crypto ACLs should look like this:
access-list 101 permit tcp host 22.214.171.124 host 126.96.36.199 eq 2222
access-list 101 permit tcp host 188.8.131.52 eq 1111 host 184.108.40.206
access-list 101 permit tcp host 220.127.116.11 host 18.104.22.168 eq 1111
access-list 101 permit tcp host 22.214.171.124 eq 2222 host 126.96.36.199
Thanks for your help.
The crypto ACLs should be defined using a IP as protocol. It will create conflicts if you try to use TCP or UDP.
Now if you need to tight what comes in thru your tunnel, the best way to do this is using ACLs on the internal Interface.
For example on site A, asumming that the F0/1 is your private interface you could something like this to limit the traffic
access-list 150 permit permit tcp host 188.8.131.52 host 184.108.40.206 eq 2222
access-list 150 permit deny ip host 220.127.116.11 host 18.104.22.168
access-list 150 permit permit ip any any
access-list 160 permit permit tcp host 22.214.171.124 host 126.96.36.199 eq 1111
access-list 160 permit deny ip host 188.8.131.52 host 184.108.40.206
access-list 160 permit permit ip any any
int F 0/1
ip access-group 150 in
ip access-group 160 out
Your crypto acl should be
access-list 101 permit ip host 220.127.116.11 host 18.104.22.168 eq.
In other words, the tunnel must be negotiated using IP as protocol, and then you can limit whatever enters/leaves the tunnel by applying an ACL to the private interface, which is the one the that sees the traffic unencrypted.
Thanks Raga. It turns out my ACL using TCP/UDP worked fine. I don't have full control over the remote end of this connection and it was just an config problem at the other end.The problem I was having was due to "fat fingering" an ACL. Sorry.