No announcement yet.

ACL on Router to only allow VPN Traffic in

  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL on Router to only allow VPN Traffic in

    We are in the process of setting up 4 2811 routers for our 4 sites.

    Our WAN network will be layer 2 (fiber optic - metro ethernet). Each router will be connected to the layer 2 WAN network and be able to speak to any of the other routers.

    Each site will have a Site to Site VPN tunnel with the other 3 routers.

    I am using EIGRP as our routing protocol with authentication enabled.

    Right now I have the routers in a lab where I am creating test configs. I have the VPN's all setup and they are working. The only problem is that I only want to allow VPN traffic (and EIGRP). In other words, block all traffic that is does not come in through a VPN or is related to EIGRP.

    This is the ACL I have applied to the interface. It appears to be working just fine. I would like to get some more opinions before I put this config into production.

    FYI - ACL's are posted to show the type of traffic. Not a good idea to use 'any any' in an ACL(Thanks Joe!).
    ACCESS-LIST 110 permit eigrp any any
    ACCESS-LIST 110 permit udp any any eq isakmp
    ACCESS-LIST 110 permit esp any any

    This WAN network is not public. The ISP providing the network is trustworthy and has a great reputation in our community. Nonetheless, we deal with confidential information that needs to be protected.

    Thank you!
    Last edited by bill_sffcu; 6th July 2009, 17:17.
    CCA: XenApp 5.0

  • #2
    Re: ACL on Router to only allow VPN Traffic in

    Have you check out creating GRE tunneling over IPsec with EIGRP. Check the link out. It may not be exactly what you want but it will give you an idea.


    • #3
      Re: ACL on Router to only allow VPN Traffic in

      While I'm certainly not a networking or Cisco guru, I might suggest trying to limit the permitted traffic to just the subnets that each router is connected to instead of using any any.


      • #4
        Re: ACL on Router to only allow VPN Traffic in

        I've looked at GRE and it's really not necessary in our scenario. Our WAN network is not public in any way. I designate neighbors in the EIGRP config and I've enabled authentication. Not to say that's perfect but considering we're on a private secure network anyway it's more than adequate.

        The ACL's I posted were more for showing the type of traffic being allowed. I'm sorry, I should have been more specific. Nonetheless, thank you pointing out the problem for anyone who may be reading this thread with a similar concern!

        It looks as if the types of traffic in those ACL's are what I need to allow in order to keep all the necessary traffic flowing while disregarding everything else.
        CCA: XenApp 5.0