cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
626
Views
0
Helpful
6
Replies
ronald.tuns
Beginner

Restrict site-to-site traffic

Hi everyone,

I have a quick question (I hope): what's the best way to restrict certain protocols to pass through a site-to-site tunnel ? Should I edit de ACL which is assigned to the crypto map or should I create a new ACL and assign it to the interface ?

Thanks in advance,

Ronald

1 ACCEPTED SOLUTION

Accepted Solutions

Better to use some input acl to make the filter.

Change the crypto acl will make the restriction work, but it will possible change the ipsec sa info. Both with, it need to be change at both end of IPSec site.

config reference.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080

View solution in original post

6 REPLIES 6
sean_evershed
Rising star

Hi,

Is this on a router or a firewall?

If you are using a firewall you can use the vpn-filter command

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hi Sean,

It is a 1803 ISR.

Regards,

Ronald

Hi,

editing the ACL attached to crypto map will do the trick.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain,

Thanks for the info. I'm gonna try that one.

Regards,

Ronald

Better to use some input acl to make the filter.

Change the crypto acl will make the restriction work, but it will possible change the ipsec sa info. Both with, it need to be change at both end of IPSec site.

config reference.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080

View solution in original post

Hi acui,

Changing the crypto acl did indeed result in a wrong sa. I changed it to an access-group as you referenced and it's working perfectly. Only traffic that needs to go through the tunnel is passed, the rest is discarded.

Thanks for your help !

Regards,

Ronald

Content for Community-Ad