Solved: Restrict traffic through EasyVPN tunnels

ronald.tuns · ‎02-17-2011

Hi everyone,

I was wondering if someone could help me out on this issue:

We are using a 1803 ISR for remote vpn users. They use Cisco VPN clients with the EasyVPN server functionality of the ISR. I would like to restrict the ports/protocols which they can use to the remote network they connect to.

This is the (edited) client config in the ISR:

crypto isakmp client configuration group RemoteVPN
key remoteaccess
dns 192.168.0.1
domain domain.local
pool POOL_1
acl 140
netmask 255.255.255.240

access-list 140 remark EasyVPN ACL
access-list 140 permit ip 192.168.0.0 0.0.0.255 any

I tried to edit the acl 140 with access rules, but they do not seem to have any effect. If I edit acl 140 with deny ip any any, for example, the remote users can still use any protocol to access the remote network.

What am I doing wrong here ?

Regards,

Ronald Tuns

Federico Coto Fajardo · ‎02-17-2011

Ronald,

You can only set ''IP'' in the split-tunneling ACL (this is to indicate traffic to be encrypted).

However the feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

Hope it helps.

Federico.

View solution in original post

Federico Coto Fajardo · ‎02-17-2011