ACL does not limit access

- J
- Jaime
  
  Contact options for registered users
posted
18 years ago

Thu, Apr 28, 2005 9:45 PM

Hello all

I have a tunnel set-up on my Cisco 1760, with static IP endpoints and access list applied in the crypto map. I dont know the remote VPN endpoint equipment/manufacturer.

The acl on my side states "permit ip 192.168.28.0 0.0.0.255 192.168.202.0

0.0.0.255" but I saw with the "sh crypto ipsec sa" that the remote network 192.168.202.0 is accessing not only the allowed local network but also a host on a different network of my site (172.16.100.x).

How is this possible ? Is there a way to control that ?

Thanks

Jaime

Relevant config:

crypto isakmp key 0 PSKEY address Remote_VPN_Endpoint no-xauth

crypto map tunel 40 ipsec-isakmp set peer Remote_VPN_Endpoint set security-association lifetime seconds 28800 set transform-set vpn set pfs group2 match address 101

ip access-list extended 101 permit ip 192.168.28.0 0.0.0.255 192.168.202.0 0.0.0.255

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Thu, Apr 28, 2005 10:25 PM

In article , Jaime wrote: :I have a tunnel set-up on my Cisco 1760, with static IP endpoints and access :list applied in the crypto map. I dont know the remote VPN endpoint :equipment/manufacturer.

:The acl on my side states "permit ip 192.168.28.0 0.0.0.255 192.168.202.0 :0.0.0.255" :but I saw with the "sh crypto ipsec sa" that the remote network :192.168.202.0 is accessing not only the allowed local network but also a :host on a different network of my site (172.16.100.x).

:How is this possible ?

It is possible if you have a "dynamic map" set up.

Also, check to see if there is actually any traffic over the unexpected tunnel. If not, then the remote system may have initiated a security association, and your end might not have noticed the tunnel mismatch. Tunnel mismatches are possible with the way IPSec negotiates security associations. Your end isn't going to send any traffic over the SA since you don't have a matching crypto map ACL entry.

- J
- Jaime
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, May 10, 2005 2:58 PM

Hi Wal

I have a dyn-map setup.

So, if I apply an acl to the crypto dynamic-map, can I restrict access to allowed servers ? This way, the Router to Router IPSec VPNs wouldn't be allowed to access other servers than those specified in their own crypto map acl..

Am I true ?

Thanks

Jaime

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, May 10, 2005 3:29 PM

In article , Jaime top-posted: |> :The acl on my side states "permit ip 192.168.28.0 0.0.0.255 192.168.202.0 |> :0.0.0.255" |> :but I saw with the "sh crypto ipsec sa" that the remote network |> :192.168.202.0 is accessing not only the allowed local network but also a |> :host on a different network of my site (172.16.100.x).

|> :How is this possible ?

|> It is possible if you have a "dynamic map" set up.

|Hi Wal

Hi Jai (amazing how quickly one can get onto a first-syllable basis on Usenet)

|I have a dyn-map setup.

|So, if I apply an acl to the crypto dynamic-map, can I restrict access |to allowed servers ?

Yes, that would help. There -might- still be instances in which the remote end could create the SA, but they wouldn't be able to talk over it.

When you have an unrestricted dynamic map, your system will allow SAs to be created to a wide range of places, and the traffic would be restricted by the outside interface ACL... unless you have sysopt crypto permit-ipsec in which case the interface ACLs would be ignored and the remote end would be allowed to send to anything in your network (and possibly further.)