Is there a change in access-list behavior regarding VPN?

Discussion in 'Cisco' started by Jens Haase, Nov 22, 2005.

  1. Jens Haase

    Jens Haase Guest

    Hi,

    I am a little confused.

    As I know when you do a Router to Router VPN you have to apply an
    access-list to the terminating Interface to allow the traffic from the
    remote side in:


    192.168.1.0 - e0-Router 1-e1 - Internet - e1-Router 2-e0 - 192.168.2.0

    So for the VPN to work you have to permit Traffic from 192.168.2.0 in on
    Router1's e1 interface because after the packets are decrypted the
    access-list is checked. This gives you some more security when you ony
    want to permit traffic to specific Ports from the remote side.

    Recently I installed a VPN with Cisco 836 and IOS 12.3(11)YK1 and
    noticed, that the behavior has changed. I did not allow any traffic
    besides isakmp, ipsec and icmp on the ouside Interface and all traffic
    from the remote network was able to pass to my network over the vpn
    connection.

    Did they remove the additional check after decrypting the packet?


    Jens
     
    Jens Haase, Nov 22, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PS2 gamer
    Replies:
    6
    Views:
    7,238
    Hansang Bae
    Jun 9, 2004
  2. Smitty
    Replies:
    2
    Views:
    588
  3. dnash
    Replies:
    0
    Views:
    560
    dnash
    Jan 2, 2008
  4. Southern Kiwi
    Replies:
    6
    Views:
    2,332
    Southern Kiwi
    Mar 19, 2006
  5. Tony Neville
    Replies:
    7
    Views:
    1,708
    steve
    Sep 22, 2006
Loading...

Share This Page