01-24-2011 03:15 AM
Hi everyone,
I have a quick question (I hope): what's the best way to restrict certain protocols to pass through a site-to-site tunnel ? Should I edit de ACL which is assigned to the crypto map or should I create a new ACL and assign it to the interface ?
Thanks in advance,
Ronald
Solved! Go to Solution.
01-25-2011 02:46 AM
Better to use some input acl to make the filter.
Change the crypto acl will make the restriction work, but it will possible change the ipsec sa info. Both with, it need to be change at both end of IPSec site.
config reference.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080
01-24-2011 04:18 AM
Hi,
Is this on a router or a firewall?
If you are using a firewall you can use the vpn-filter command
01-24-2011 05:55 AM
Hi Sean,
It is a 1803 ISR.
Regards,
Ronald
01-24-2011 06:22 AM
Hi,
editing the ACL attached to crypto map will do the trick.
Regards.
Alain.
01-24-2011 11:49 PM
Hi Alain,
Thanks for the info. I'm gonna try that one.
Regards,
Ronald
01-25-2011 02:46 AM
Better to use some input acl to make the filter.
Change the crypto acl will make the restriction work, but it will possible change the ipsec sa info. Both with, it need to be change at both end of IPSec site.
config reference.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crpks.html#wp1065080
01-25-2011 07:53 AM
Hi acui,
Changing the crypto acl did indeed result in a wrong sa. I changed it to an access-group as you referenced and it's working perfectly. Only traffic that needs to go through the tunnel is passed, the rest is discarded.
Thanks for your help !
Regards,
Ronald
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide