09-19-2011 01:58 PM
Hi all,
my predecessor configured our VPN gateway on our secondary router. Here is the relevant portion of the config.
crypto isakmp client configuration group MAIN-CLIENT-VPN
key XXXX-XXXX
dns 192.168.177.7 192.168.100.1
wins 192.168.177.7
domain XXXX.local
pool SDM_POOL_1
acl 104
Im still trying to catch up in a few programming areas and Im not sure what the ACL in this command set is for or how it will affect users connecting to the gateway.
Can anyone point me in the direction of a useful Cisco document or explain please? Ive been all over the Cisco website and keep going round in circles (its as if Cisco want to sell me something; its like trying to get out of a Vegas casino without going past the slots)
Many thanks in advance.
Paul
Solved! Go to Solution.
09-20-2011 09:12 AM
Hello Paul,
Parminder answer is correct as well, this ACL is used to match the interesting traffic ( that is going to be sent over the VPN tunnel encrypted).
You will need to classify into your ACL the traffic being originated in your end because that is the traffic that is going to be encripted, the other one (Coming from the other site or the clients) It is already encrypted and you are going to decripted as soon as it get to your end.
I hope this has been informative.
Regards,
Julio
09-19-2011 02:16 PM
Hello Paul,
The Access-list on a VPN gateway is going to be used to match the interesting traffic between the VPN sites and then place it into the crypto map, so lets say this is how this ACL looks in your configuration:
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
In this case the ACL 104 is going to permit the ip traffic between 192.168.10.0 to 192.168.20.0
I hope this help you.
Regards,
Julio
09-19-2011 10:40 PM
Hi Paul,
The ACL in VPN defines what to encrypt.
access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
The above access-list defines that traffic from subnet 192.168.10.0 to 192.168.20.0 should get encrypted.
Hope this helps,
Sian
09-20-2011 12:58 AM
So should I classify traffic to and from my VPN users?
ie
acl 104 permit ip 192.168.0.0 0.0.255.255 any (for internal LAN)
acl 104 permit ip 172.16.0.0 0.0.255.255 any (for VPN users connecting in)
Thanks.
09-20-2011 09:12 AM
Hello Paul,
Parminder answer is correct as well, this ACL is used to match the interesting traffic ( that is going to be sent over the VPN tunnel encrypted).
You will need to classify into your ACL the traffic being originated in your end because that is the traffic that is going to be encripted, the other one (Coming from the other site or the clients) It is already encrypted and you are going to decripted as soon as it get to your end.
I hope this has been informative.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide