In article , snipped-for-privacy@nospammail.net (Can2002) writes: | I have an IPSEC tunnel configured between a router running IOS and a | Check Point firewall, which is working fine. | | One thing I'm having difficulty with is restricting traffic coming into | the router on the IPSEC tunnel (for example, allow only specific hosts | at the Check Point end of the tunnel to initiate connections to servers | behind the router). | | Beyond creating an outbound access list for my internal interface, is | there any other way to restrict this traffic?
I'm assuming that you don't have a recent enough version of IOS that you can terminate the IPSEC tunnel on an actual tunnel interface and thus your problem is that the incoming access list on the interface with the crypto map is checked against the IPSEC wrapper packet rather than the encapsulated packet.
The encapsulated packet is checked against the inverse of the access list associated with the crypto map and is dropped if it shouldn't have been encrypted (based on the assumption that the access lists on each end of the tunnel are complementary) in the first place. You can use this to restrict incoming traffic, but it is likely considered a configuration error. Beware that IOS will log an error in some but not all cases when it drops a packet in these circumstances. With ipsec debug enabled there should be a message in all cases.
Of course, if you can configure the far end to not encrypt/encapsulate the offending packets in the first place then the normal incoming access list will catch them. But that requires keeping three sets of access lists in sync and also assumes that the packets are routable independent of the IPSEC tunnel.
Dan Lanciani ddl@danlan.*com