Question on Remote Access VPN Access Control on IOS

Discussion in 'Cisco' started by Uto cen, Jan 25, 2007.

  1. Uto cen

    Uto cen Guest

    Hi,
    I'm configuring remote access VPN using Cisco VPN Client to an IOS router.
    Things are working fine, i.e. using dynamic crypto map, XAUTH, and group
    policy to push dns, DHCP ip address, etc. to the client.
    One thing I haven't been able to do is to apply ACL to filter the VPN
    traffic - this is to restrict VPN clients access to only certain ports on
    our internal server.
    I know that in the ASA/PIX, a filter list can be applied to the group
    policy, but i just can't find similar functionality in the IOS group policy.

    Any help appreciated!
    TIA.
     
    Uto cen, Jan 25, 2007
    #1
    1. Advertising

  2. Uto cen

    Uli Link Guest

    Uto cen schrieb:
    > One thing I haven't been able to do is to apply ACL to filter the VPN
    > traffic - this is to restrict VPN clients access to only certain ports on
    > our internal server.


    IOS 12.3(8)T introduced Crypto Clear Text ACLs.

    crypto map sample_cmap 100 ipsec-isakmp
    set ip access-group 110 in
    set ip access-group 111 out


    So access-list 110 will filter (or permit!) traffic independant from the
    inbound ACL on the interface with the crypto map
    access-list 111 is able to restrict the traffic from router into the
    IPsec tunnel.

    --
    Uli
     
    Uli Link, Jan 25, 2007
    #2
    1. Advertising

  3. Uto cen

    Uto cen Guest

    Thanks! Exactly what I needed to know.
    And that should work for dynamic maps as well?


    "Uli Link" <> wrote in message
    news:45b901f3$0$27609$-online.net...
    > Uto cen schrieb:
    >> One thing I haven't been able to do is to apply ACL to filter the VPN
    >> traffic - this is to restrict VPN clients access to only certain ports on
    >> our internal server.

    >
    > IOS 12.3(8)T introduced Crypto Clear Text ACLs.
    >
    > crypto map sample_cmap 100 ipsec-isakmp
    > set ip access-group 110 in
    > set ip access-group 111 out
    >
    >
    > So access-list 110 will filter (or permit!) traffic independant from the
    > inbound ACL on the interface with the crypto map
    > access-list 111 is able to restrict the traffic from router into the IPsec
    > tunnel.
    >
    > --
    > Uli
     
    Uto cen, Jan 26, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page