greenbeanx81
asked on
Need to limit traffic going over VPN tunnel on router. Specific Crypto ACL?
Hello,
I have a Cisco 2811 ISR router that I am going to be connecting to a Cisco 5520 ASA. I need to only allow http and SSL traffic going across the tunnel in both directions. Would just specifying an extended crypto ACL covering http or SSL do the trick or do I need to create and inbound extended access list? I have two other tunnels connecting to this router and it is also connected to a firewall and sending traffic to the internet.
Would this access-list work to allow on the specific traffic from the network in question and all traffic from the other locations?
ip access-list outside
permit tcp 192.168.2.0 255.255.255.0 eq http 192.168.1.0 255.255.255.0
permit tcp 192.168.2.0 255.255.255.0 eq ssl 192.168.1.0 255.255.255.0
permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
interface int fa0/0
ip access-group outside in
I have a Cisco 2811 ISR router that I am going to be connecting to a Cisco 5520 ASA. I need to only allow http and SSL traffic going across the tunnel in both directions. Would just specifying an extended crypto ACL covering http or SSL do the trick or do I need to create and inbound extended access list? I have two other tunnels connecting to this router and it is also connected to a firewall and sending traffic to the internet.
Would this access-list work to allow on the specific traffic from the network in question and all traffic from the other locations?
ip access-list outside
permit tcp 192.168.2.0 255.255.255.0 eq http 192.168.1.0 255.255.255.0
permit tcp 192.168.2.0 255.255.255.0 eq ssl 192.168.1.0 255.255.255.0
permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
interface int fa0/0
ip access-group outside in
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
*********************
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} protocol source source-wildcard destination
destination-wildcard
[precedence precedence] [tos tos] [log | log-input]
[time-range time-range-name][fragments
**************************