access list for vpn traffic?

We have a 3725 (IOS 12.4(5a) which serves a number of VPNs with crypto map statements like this:

crypto map vpn-4 168 ipsec-isakmp set peer a.b.c.d set transform-set aes-sha match address vpn-168

ip access-list extended vpn-168 permit ip

AFAIK, the access list in this config only determines what traffic is expected encrypted and what traffic can be unencrypted.

Is it also possible to add an access list to this config that determines what traffic is allowed through this tunnel? I.e. that is applied after decryption. I would like to restrict the user at the other end of the tunnel from accessing certain services on the local network.

Right now I have an outbound access list on the LAN interface, but it seems kind of backward. One would want to filter at the source.

Reply to
Loading thread data ...

Rob schrieb:

crypto map vpn-4 168 ipsec-isakmp set ip access-group in|out

Reply to
Uli Link

Thank you! I remember that I worked with versions that passed the traffic through the interface incoming ACL both before and after decryption (and that I found it strange) but I was not aware where the second check had moved.

Reply to
Rob Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.