Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

CCNA Security - VPN section help please.

CCNA Security - VPN section help please.

CCNA Security - VPN section help please.

Hi all,

Planning to take my CCNA Sec soon and have a question relating to creating crypto acl.

I have the rest of the config down, but say if I have the following config ...

Subnet A-----RouterA  -----VPN TUNNEL----- RouterB--------Subnet B        

what would the crypto acl be if I wanted any say encrypt all smtp traffic.  Do I carry out the permit statement from the 192 subnet or from the - does tunnel or tansport mode have an impact on the ACL that I write.

So if using Tunnel mode would be ACL be:

config t- ip access-list extended 123
          permit tcp host host eq smtp

or would it be...

config t- ip access-list extended 123
       permit tcp eq smtp

Just getting a little confused and want to get it straight in my head.  

RE: CCNA Security - VPN section help please.

The crypto ACLs need to be mirror opposites of each other. You would use separate ACLs to limit the traffic permitted through the tunnel. For example, your crypto ACL for subnet A would be permit ip subnet A subnet B. Your crypto ACL on subnet B would be permit ip subnet B subnet A. You would define a separate ACL and add permit tcp subnet A subnet B eq smtp and you would apply it under your crypto map.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

RE: CCNA Security - VPN section help please.

Your second acl is the correct one.

"or would it be...config t- ip access-list extended 123       permit tcp eq smtp"

And unclerico is right in that you'd have a mirror one on the other side.

RE: CCNA Security - VPN section help please.

ip access-list exten crypto
10 permit tcp gt 1023 eq 25 log-input
20 deny ip any any log-input

ip access-list exten nat
10 deny ip
20 permit ip any

route-map nats permit 10
 match address nat

ip nat inside source route-map nat int blablabla over


Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1523-2010 by Cisco Systems, Inc.
Compiled Thu 11-Feb-1539 23:02 by ßµ®†Šß€€Š

ROM: System Bootstrap, Version 12.2(7r) [ÝØÝØMØÑ], RELEASE SOFTWARE (fc1)

Edge uptime is 469¼  

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close