cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1387
Views
0
Helpful
4
Replies
Highlighted
Beginner

What does the acl do when configuring a router as a VPN gateway?

Hi all,

my predecessor configured our VPN gateway on our secondary router. Here is the relevant portion of the config.

crypto isakmp client configuration group MAIN-CLIENT-VPN

key XXXX-XXXX

dns 192.168.177.7 192.168.100.1

wins 192.168.177.7

domain XXXX.local

pool SDM_POOL_1

acl 104

Im still trying to catch up in a few programming areas and Im not sure what the ACL in this command set is for or how it will affect users connecting to the gateway.

Can anyone point me in the direction of a useful Cisco document or explain please? Ive been all over the Cisco website and keep going round in circles (its as if Cisco want to sell me something; its like trying to get out of a Vegas casino without going past the slots)

Many thanks in advance.

Paul

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello Paul,

Parminder answer is correct as well, this ACL is used to match the interesting traffic ( that is going to be sent over the VPN tunnel encrypted).

You will need to classify into your ACL the traffic being originated in your end because that is the traffic that is going to be encripted, the other one (Coming from the other site or the clients) It is already encrypted and you are going to decripted as soon as it get to your end.

I hope this has been informative.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 REPLIES 4
Highlighted

Hello Paul,

The Access-list on a VPN gateway is going to be used to match the interesting traffic between the VPN sites and then place it into the crypto map, so lets say this is how this ACL looks in your configuration:

                    access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

In this case the ACL 104 is going to permit the ip traffic between 192.168.10.0 to 192.168.20.0

I hope this help you.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

Hi Paul,

The ACL in VPN defines what to encrypt.

access-list 104 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

The above access-list defines that traffic from subnet 192.168.10.0 to 192.168.20.0 should get encrypted.

Hope this helps,

Sian

Highlighted

So should I classify traffic to and from my VPN users?

ie

acl 104 permit ip 192.168.0.0 0.0.255.255 any (for internal LAN)

acl 104 permit ip 172.16.0.0 0.0.255.255 any (for VPN users connecting in)

Thanks.

Highlighted

Hello Paul,

Parminder answer is correct as well, this ACL is used to match the interesting traffic ( that is going to be sent over the VPN tunnel encrypted).

You will need to classify into your ACL the traffic being originated in your end because that is the traffic that is going to be encripted, the other one (Coming from the other site or the clients) It is already encrypted and you are going to decripted as soon as it get to your end.

I hope this has been informative.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Content for Community-Ad