Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

CCNA Security - VPN section help please.

Status
Not open for further replies.

skk391

Technical User
Mar 3, 2009
332
GB
Hi all,

Planning to take my CCNA Sec soon and have a question relating to creating crypto acl.

I have the rest of the config down, but say if I have the following config ...

Subnet A-----RouterA -----VPN TUNNEL----- RouterB--------Subnet B
192.168.0.0 172.12.12.1 172.12.12.2 10.0.0.0

what would the crypto acl be if I wanted any say encrypt all smtp traffic. Do I carry out the permit statement from the 192 subnet or from the 172.12.12.1 - does tunnel or tansport mode have an impact on the ACL that I write.

So if using Tunnel mode would be ACL be:

config t- ip access-list extended 123
permit tcp host 172.12.12.1 host 172.12.12.2 eq smtp


or would it be...

config t- ip access-list extended 123
permit tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 eq smtp



Thanks
Just getting a little confused and want to get it straight in my head.
 
The crypto ACLs need to be mirror opposites of each other. You would use separate ACLs to limit the traffic permitted through the tunnel. For example, your crypto ACL for subnet A would be permit ip subnet A subnet B. Your crypto ACL on subnet B would be permit ip subnet B subnet A. You would define a separate ACL and add permit tcp subnet A subnet B eq smtp and you would apply it under your crypto map.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Your second acl is the correct one.

"or would it be...config t- ip access-list extended 123 permit tcp 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 eq smtp"


And unclerico is right in that you'd have a mirror one on the other side.
 
ip access-list exten crypto
10 permit tcp 192.168.0.0 0.0.0.255 gt 1023 10.0.0.0 0.0.0.255 eq 25 log-input
20 deny ip any any log-input

ip access-list exten nat
10 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
20 permit ip 192.168.0.0 0.0.0.255 any

route-map nats permit 10
match address nat

ip nat inside source route-map nat int blablabla over

--TIMMAY!


Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
Technical Support: Copyright (c) 1523-2010 by Cisco Systems, Inc.
Compiled Thu 11-Feb-1539 23:02 by ßµ®†Šß€€Š

ROM: System Bootstrap, Version 12.2(7r) [ÝØÝØMØÑ], RELEASE SOFTWARE (fc1)

Edge uptime is 469¼
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top