Hi D.M.Gore,
I think it is a bug. I am using 12.4(15) T5 and getting the same result.
However, it is working when i use "in" instead of "out"
set ip access-group 110 in
I don't have access to the cisco bug toolkit so i can't verify.
Regards,
Mohammed Gazzaz
Date: Sun, 13 Sep 2009 20:51:25 +0530
From: [email protected]
To: [email protected]
Subject: [OSL | CCIE_Security] VPN: filtering traffic in L2L tunnel
Hi All,
I have established Lan to Lan IPsec VPN between two routers having 12.4(15) T9
IOS. I want to filter telnet traffic through vpn tunnel. To achieve this,
filtering access list is used inside crypto map. The configuration of a router
is as follows:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 136.1.123.13
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
crypto map GMD 1 ipsec-isakmp
set peer 136.1.123.13
set ip access-group 110 out
set transform-set test
match address test2
!
interface Loopback0
ip address 150.1.1.1 255.255.255.0
!
interface FastEthernet0/0
description "Connected to R4"
ip address 136.1.121.13 255.255.255.0
duplex auto
speed auto
crypto map GMD
ip access-list extended test2
permit ip host 150.1.1.1 host 150.1.2.2
!
access-list 110 permit icmp any any
access-list 110 deny ip any any
!
As per this configuration, only icmp traffic is allowed through VPN tunnel.
But IPsec tunnel is created or established even with telnet traffic to remote
peer.
After observing access list hit count, it is seen that hit count is not
increasing of filtering access list 110. But hit count is increasing for crypto
access list test2.
Is this bug of 12.4(15) T9 IOS or some configuration problem?
Regards,
D.M.Gore
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
