Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2298
Views
0
Helpful
4
Replies

What does the acl do when configuring a router as a VPN gateway?

Go to solution
Paul Morgan
Level 1
Level 1

‎09-19-2011 01:58 PM

Hi all,

my predecessor configured our VPN gateway on our secondary router. Here is the relevant portion of the config.

crypto isakmp client configuration group MAIN-CLIENT-VPN

key XXXX-XXXX

dns 192.168.177.7 192.168.100.1

wins 192.168.177.7

domain XXXX.local

pool SDM_POOL_1

acl 104

Im still trying to catch up in a few programming areas and Im not sure what the ACL in this command set is for or how it will affect users connecting to the gateway.

Can anyone point me in the direction of a useful Cisco document or explain please? Ive been all over the Cisco website and keep going round in circles (its as if Cisco want to sell me something; its like trying to get out of a Vegas casino without going past the slots)

Many thanks in advance.

Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Paul Morgan

‎09-20-2011 09:12 AM

Hello Paul,

Parminder answer is correct as well, this ACL is used to match the interesting traffic ( that is going to be sent over the VPN tunnel encrypted).

You will need to classify into your ACL the traffic being originated in your end because that is the traffic that is going to be encripted, the other one (Coming from the other site or the clients) It is already encrypted and you are going to decripted as soon as it get to your end.

I hope this has been informative.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎09-19-2011 02:16 PM

Hello Paul,

The Access-list on a VPN gateway is going to be used to match the interesting traffic between the VPN sites and then place it into the crypto map, so lets say this is how this ACL looks in your configuration:

                    access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

In this case the ACL 104 is going to permit the ip traffic between 192.168.10.0 to 192.168.20.0

I hope this help you.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Parminder Sian
Level 1
Level 1

‎09-19-2011 10:40 PM

Hi Paul,

The ACL in VPN defines what to encrypt.

access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

The above access-list defines that traffic from subnet 192.168.10.0 to 192.168.20.0 should get encrypted.

Hope this helps,

Sian

0 Helpful

Go to solution
Paul Morgan
Level 1
Level 1
In response to Parminder Sian

‎09-20-2011 12:58 AM

So should I classify traffic to and from my VPN users?

ie

acl 104 permit ip 192.168.0.0 0.0.255.255 any (for internal LAN)

acl 104 permit ip 172.16.0.0 0.0.255.255 any (for VPN users connecting in)

Thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Paul Morgan

‎09-20-2011 09:12 AM

Hello Paul,

Parminder answer is correct as well, this ACL is used to match the interesting traffic ( that is going to be sent over the VPN tunnel encrypted).

You will need to classify into your ACL the traffic being originated in your end because that is the traffic that is going to be encripted, the other one (Coming from the other site or the clients) It is already encrypted and you are going to decripted as soon as it get to your end.

I hope this has been informative.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents