10-20-2009 06:54 AM
Hi All,
We are terminating a VPN on an 1800 series router. The networks that are negotiated during the phase 2 part of the setup are shown below, using the ACL...
ip access-list extended VPN_ACL
permit ip 192.168.200.0 0.0.0.255 192.168.40.0 0.0.0.255
This then allows all IP traffic between the 2 networks. My question is this....
What would be the best way to restrict the traffic, use an ACL outbound on the internal interface??? or any other recommendations would be great....
Thanks in advance
Steve
10-20-2009 07:16 AM
Hi,
If you use a tunnel interface, then you can put an ACL directly on it. If you don't, then think about it, but if you allow only the traffic that should be authorized in your tunnel on your crypto ACL, then I think traffic not matching will be dropped, or at least it won't be encapsulated then your ISP will drop it.
10-20-2009 07:20 AM
Thanks so much for your reply. How would I use the tunnel interface? I dont suppose you have any good documentation you could point me to.
Cheers again
Steve
10-20-2009 07:38 AM
Here is an exemple using virtual tunnel interface, it's very simple
http://www.ciscoblog.com/archives/2006/08/vpn_virtual_tun.html
create a tunnel interface with source/dest pub address, private address, then assign an IPSEC profile for protection (which contains a transform set).
10-20-2009 08:22 AM
The problem is the other end of the tunnel is not in our control.
The VPN is currently setup using (what I call) the standard VPN setup, therefore I am reluctant, even unsure, as to whether the tunnel interfaces would help us, as we have no shared IP ranges to use as the tunnnel interface IP address.
Also, restricting the traffic on the phase 2 ACL doesnt seem to work. Do you, or anyone else have any other ideas?
Thanks and regards
Steve
10-20-2009 08:27 AM
Hi, I think you can still use a tunnel interface even if the other end use a crypto map, but that should be tested before.
Other solutions I see would be to put an ACL on the insides interfaces, as once the traffic is tunneled, you won't be able to filter it on the outside if, but you can still modify the crypto acl to cipher only one part of the traffic, and drop it with an outside ACL.
Another solution would be to use PBR to null0 interface for traffic that shouldnt leave by the tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide