cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
458
Views
0
Helpful
2
Replies
ronald.tuns
Beginner

Restrict traffic through EasyVPN tunnels

Hi everyone,

I was wondering if someone could help me out on this issue:

We are using a 1803 ISR for remote vpn users. They use Cisco VPN clients with the EasyVPN server functionality of the ISR. I would like to restrict the ports/protocols which they can use to the remote network they connect to.

This is the (edited) client config in the ISR:

crypto isakmp client configuration group RemoteVPN
key remoteaccess
dns 192.168.0.1
domain domain.local
pool POOL_1
acl 140
netmask 255.255.255.240

access-list 140 remark EasyVPN ACL
access-list 140 permit ip 192.168.0.0 0.0.0.255 any

I tried to edit the acl 140 with access rules, but they do not seem to have any effect. If I edit acl 140 with deny ip any any, for example, the remote users can still use any protocol to access the remote network.

What am I doing wrong here ?

Regards,

Ronald Tuns

1 ACCEPTED SOLUTION

Accepted Solutions

Ronald,

You can only set ''IP'' in the split-tunneling ACL (this is to indicate traffic to be encrypted).

However the feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

Hope it helps.

Federico.

View solution in original post

2 REPLIES 2

Ronald,

You can only set ''IP'' in the split-tunneling ACL (this is to indicate traffic to be encrypted).

However the feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

Hope it helps.

Federico.

Thanks Federico!

That indeed looks like what I'm trying to achieve. Didn't know about that feature, but I'm certainly gonna try it!

Regards,

Ronald Tuns

Create
Recognize Your Peers
Content for Community-Ad