When creating site to site IPsec VPNs we need to configure ACLs that define interesting traffic, that is, an ACL that matches to source and destination networks on each side of the link for which traffic should be encrypted and routed via the VPN. This is part of the Phase 2 stage of establishing the IPsec VPN.
Typically these ACLs reference whole networks (i.e., /24) and aren’t used for granular rules such as specifying which hosts can communicate and over which ports and protocols. One reason for this is that the Phase 2 ACL needs to be a mirror image of the ACL at the remote end of the connection and modifications can cause loss of Phase 2 connectivity.
Further, we cannot specify a direction for the interesting traffic ACL.
To enable granular access rules we can define separate ACLs and apply them to the crypto map using the
set ip access-group command.
ip access-list extended VPN-Security-In remark -- block access to port 80 on 10.1.1.20 -- deny tcp host 10.1.1.20 eq 80 any deny udp host 10.1.1.20 eq 80 any crypto map VPN 10 ipsec-isakmp set ip access-group VPN1-Security-In in
We can verify ACL hits using the usual
show ip access-lists VPN-Security-In command.