Hi Simon, The getvpn acl need to match intresting traffic-since there's a default deny after ur acl you really dont need to put the 3 deny statements you have there.
You would need to put a deny before permit if there are specific IPs within your permit network that shld not be encrypted. And in ur example, the traffic u denied does not match any of the permitted traffic, therefore i do not think its necesary. Regards. ________________________________ From: Simon Baumann <[email protected]> To: [email protected] Sent: Saturday, August 29, 2009 2:09:15 PM Subject: [OSL | CCIE_Security] Clarification about GET VPN. Hi, I'm setting up an GET VPN environmet at a security ProtcorLabs pod. My scenario looks like this: Used devices: cat2, r1, r7, r8 cat2: vlan 2, int vlan2: ip addr 2.2.2.254 vlan 7, int vlan 7: ip addr 7.7.7.254 vlan 8, int vlan 8: ip addr 8.8.8.254 Server: r1 Clients: r7 and r8 r1: fa0/1: ip addr 2.2.2.1, lo0: 22.22.22.1. Default route to fa0/1. r7: fa0/0: ip addr 7.7.7.1, lo0 77.77.77.1. Default route to fa 0/0. r8: fa0/0: ip addr 8.8.8.1, lo0 88.88.88.1. Default route to fa 0/0. I want to protect traffic between the loopbacks of my router. But I'm not sure how I have to configure my ACL to only match this traffic. The Cisco documentation states: "Ensure that your ACL starts with a deny statement if all traffic does not need to be encrypted." So in my case, this would be the following ACL? ip access-list extended GET_VPN deny ip host 2.2.2.1 any deny ip host 8.8.8.1 any deny ip host 7.7.7.1 any permit ip host 22.22.22.1 any permit ip host 77.77.77.1 any permit ip host 88.88.88.1 any TIA. Have a nice weekend Simon _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
