Cisco Systems How-to restrict traffic exiting VPN tunnel to certain hosts / ports ??
Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
How-to restrict traffic exiting VPN tunnel to certain hosts / ports ?? ponga 06-30-09
Posted by ponga on July 1, 2009, 2:25 pm
Please log in for more thread options
> ponga schrieb:
>
> > crypto map Reservations 11 ipsec-isakmp
> > =A0description Tunnel toNoWhere
> > =A0set peer 1.2.3.4
> > =A0set transform-set ESP-3DES-SHA1
> > =A0match address 106
> > !
> > I'm not sure what role this "match address" business plays, is that
> > like "access-group"'ing an ACL to an interface?
>
> access-list 106 describes the traffic to be encrypted through the crypto
> map.
>
> If you want to restrict traffic after or before encrytion via crypto map
> refer to
> <http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_crp...=
>
>
> Perhaps better want a logical tunnel interface using ipsec profiles and
> tunnel protection. The config is more straightforward and also support
> routing protocols.
>
> --
> ULi

Got it!! That's the part I was missing. I was not sure what the
meaning of that "match address" line was doing. Now I understand.
Also, without the "sysopt permit ipsec" line, I *GUESS* that I am now
able to apply rules to the ACL that is applied to the outside
interface and therefore filter with that ACL. I'm guessing that's how
that works. I've added rules to that that ACL, but I am not seeing any
counts for the rules I have added, though traffic is still flowing.
Perhaps clear the crypto sa's... don't know. But I think I have a
handle on it now.

Thanks to EVERYONE that replied!!
--ponga

Similar ThreadsPosted
How-to restrict traffic exiting VPN tunnel to certain hosts / ports ?? June 30, 2009, 4:48 pm
restrict port connections on switch for known hosts only June 16, 2006, 8:30 am
restrict PC traffic speed on the lan August 10, 2008, 1:11 pm
Cisco PIX EasyVPN site2site - Restrict traffic December 6, 2006, 6:33 am
Cisco 515 VPN Traffic can not ping internal hosts May 17, 2006, 1:33 pm
exiting out of "show run" on PIX July 11, 2006, 3:32 pm
hosts can only ping other hosts after router has pinged them? June 3, 2006, 9:47 pm
PIX 7.0.4 tunnel all traffic. November 3, 2005, 12:27 pm
PIX 501 S2S VPN - Tunnel Up - No Traffic April 15, 2006, 11:44 am
*some* return traffic not going through vpn tunnel (although not all) December 20, 2005, 10:17 am
PIX lan-to-lan IPSEC comes up...no traffic passes tunnel November 2, 2005, 6:28 pm
solution to "*some* return traffic not going through vpn tunnel (although not all)" January 31, 2006, 12:47 pm
WAN, Routing and Switching: Route some IP traffic over tunnel January 15, 2007, 6:16 am
ASA5510 with Cisco VPN client. No traffic over VPN tunnel May 15, 2008, 4:53 am
Using an ASA's AIP SSM module to inspect traffic going into and coming out of a VPN tunnel. January 22, 2009, 12:14 pm
Residential Cabling Guide

Home Cabling Guide

Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language!

Learn More