Question on Remote Access VPN Access Control on IOS

Discussion in 'Cisco' started by Uto cen, Jan 25, 2007.

  1. Uto cen

    Uto cen Guest

    I'm configuring remote access VPN using Cisco VPN Client to an IOS router.
    Things are working fine, i.e. using dynamic crypto map, XAUTH, and group
    policy to push dns, DHCP ip address, etc. to the client.
    One thing I haven't been able to do is to apply ACL to filter the VPN
    traffic - this is to restrict VPN clients access to only certain ports on
    our internal server.
    I know that in the ASA/PIX, a filter list can be applied to the group
    policy, but i just can't find similar functionality in the IOS group policy.

    Any help appreciated!
    Uto cen, Jan 25, 2007
    1. Advertisements

  2. Uto cen

    Uli Link Guest

    IOS 12.3(8)T introduced Crypto Clear Text ACLs.

    crypto map sample_cmap 100 ipsec-isakmp
    set ip access-group 110 in
    set ip access-group 111 out

    So access-list 110 will filter (or permit!) traffic independant from the
    inbound ACL on the interface with the crypto map
    access-list 111 is able to restrict the traffic from router into the
    IPsec tunnel.
    Uli Link, Jan 25, 2007
    1. Advertisements

  3. Uto cen

    Uto cen Guest

    Thanks! Exactly what I needed to know.
    And that should work for dynamic maps as well?
    Uto cen, Jan 26, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.