Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
3
Replies

Site-to-Site VPN Access-list confusion

Go to solution
paul_shiner
Level 1
Level 1

‎01-03-2013 04:28 AM

Hi All,

I was wondering if someone could help explain access lists when configuring site-to-site VPN tunnels. Basically I used this guide to roughly create a GNS3 lab for me getting to understand IPSec tunnels etc.

http://commonerrors.blogspot.co.uk/2011/09/site-to-site-vpn-cli-configuration-on.html

Thing is this config works and my confusion is about the ACLs they use. There is no mention of the subnet internal 10.1.1.1 subnet on US router but the Pakistan has it's internal 172.16.x.x range in the ACLs (but not it's external ISP IPs)

Why does this work? Is this setup incorrect?

With these site-to-site VPN tunnels, what source/destination IP ranges should be in them?

Any help or information would be great.

Thanks,

Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-03-2013 05:05 AM

With the crypto ACL, the source should be the local LAN subnet and the destination should be the remote LAN subnet. Crypto ACL defines the interesting traffic that you would like to encrypt between local and remote peer.

The external interface of the router (typically the one with the public IP assigned by ISP) will be used to encrypt the crypto ACL and is defined by the "set peer" command.

Hope that helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-03-2013 05:05 AM

With the crypto ACL, the source should be the local LAN subnet and the destination should be the remote LAN subnet. Crypto ACL defines the interesting traffic that you would like to encrypt between local and remote peer.

The external interface of the router (typically the one with the public IP assigned by ISP) will be used to encrypt the crypto ACL and is defined by the "set peer" command.

Hope that helps.

0 Helpful

Go to solution
paul_shiner
Level 1
Level 1
In response to Jennifer Halim

‎01-03-2013 05:13 AM

Just the information I needed.

I thought that was meant to be the case but after seeing that configuration I was confused. Working on it a little more, it seems that configuration doesn't actually work and I needed to put internal IPs in the ACL.

next I'm on to understanding/setting up GRE tunnels so I can get some dynamic routing going

Thanks for your help and quick response.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to paul_shiner

‎01-03-2013 05:15 AM

Great to hear that it makes more sense now.

All the best with GRE and feel free to post more questions on the forum if you have any.

0 Helpful
Customers Also Viewed These Support Documents