cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1053
Views
0
Helpful
6
Replies

Restrict site-to-site traffic

ronald.tuns
Level 1
Level 1

Hi everyone,

I have a quick question (I hope): what's the best way to restrict certain protocols to pass through a site-to-site tunnel ? Should I edit de ACL which is assigned to the crypto map or should I create a new ACL and assign it to the interface ?

Thanks in advance,

Ronald

1 Accepted Solution

Accepted Solutions

Better to use some input acl to make the filter.

Change the crypto acl will make the restriction work, but it will possible change the ipsec sa info. Both with, it need to be change at both end of IPSec site.

config reference.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080

View solution in original post

6 Replies 6

sean_evershed
Level 7
Level 7

Hi,

Is this on a router or a firewall?

If you are using a firewall you can use the vpn-filter command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hi Sean,

It is a 1803 ISR.

Regards,

Ronald

Hi,

editing the ACL attached to crypto map will do the trick.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain,

Thanks for the info. I'm gonna try that one.

Regards,

Ronald

Better to use some input acl to make the filter.

Change the crypto acl will make the restriction work, but it will possible change the ipsec sa info. Both with, it need to be change at both end of IPSec site.

config reference.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080

Hi acui,

Changing the crypto acl did indeed result in a wrong sa. I changed it to an access-group as you referenced and it's working perfectly. Only traffic that needs to go through the tunnel is passed, the rest is discarded.

Thanks for your help !

Regards,

Ronald

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: