ACL to filter ipsec traffic

We have a branch office connected to our main site with an IPSEC tunnel.

Inside said office is a printer that someone at the main site won't stop printing too by accident.

How can we setup an ACL to block all traffic to the specific IP of the printer and so we can SYSLOG who is doing it?
Who is Participating?
Ernie BeekConnect With a Mentor ExpertCommented:
If I may add to the comment of my esteemed fellow expert Pete:

If, in your ASA, there is the following in place: no sysopt connection permit-vpn you need to use ACL's to allow traffic through the VPN.
In that case I think it would be neater to use those ACL's to block the traffic. As a matter of fact you can use an ACL on the inside interface of the ASA to block this anyway.
I even think it then has less impact because it's dropped earlier and not processed any further (Pete?)
Hassan BesherCommented:
you can block IP you want when you define the intersting traffic that pass between the two routers e.g:

if that your normal ACL to go from Site B ( to your HQ site (

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# permit ip

so let's say that your Printer IP in  HQ Site is and you want to deny it from ip you simply modify it to be:

R1(config)# ip access-list extended VPN-TRAFFIC
R1(config-ext-nacl)# deny ip host host log
R1(config-ext-nacl)# permit ip
Pete LongConnect With a Mentor Technical ConsultantCommented:
^^ These appear to be IOS Router commands?

On you ASA Locate the ACL that's mentioned in the cryptomap like so

Petes-ASA(config)# show run crypto map
crypto map outside_map 19 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 19 set pfs
crypto map outside_map 19 set peer
crypto map outside_map 19 set transform-set ESP-3DES-SHA

Then look to see what that's doing

Petes-ASA(config)# show run access-list VPN-INTERESTING-TRAFFIC
MainSite(config)# show run access-list VPN-INTERESTING-TRAFFIC
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite

Pop your IP AT THE TOP i.e. if your printer is

Petes-ASA(config)# access-list VPN-INTERESTING-TRAFFIC line 1 deny ip host
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.