Need to limit traffic going over VPN tunnel on router. Specific Crypto ACL?
Posted on 2010-09-24
I have a Cisco 2811 ISR router that I am going to be connecting to a Cisco 5520 ASA. I need to only allow http and SSL traffic going across the tunnel in both directions. Would just specifying an extended crypto ACL covering http or SSL do the trick or do I need to create and inbound extended access list? I have two other tunnels connecting to this router and it is also connected to a firewall and sending traffic to the internet.
Would this access-list work to allow on the specific traffic from the network in question and all traffic from the other locations?
ip access-list outside
permit tcp 192.168.2.0 255.255.255.0 eq http 192.168.1.0 255.255.255.0
permit tcp 192.168.2.0 255.255.255.0 eq ssl 192.168.1.0 255.255.255.0
permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
interface int fa0/0
ip access-group outside in