Step 3 Configure the Crypto ACL

An extended access list is used to determine interesting traffic. The access lists are shown in the dashed circles. At the remote office, the access list is number 170, while at the central office, the list is number 155. Each list defines the source and destination addresses of traffic that will travel through the IPsec tunnels.

Usually, it is very important that the two lists be mirror images of each other. The source address in one list must be the destination address in the other and vice versa. A standard access list cannot be used for identifying interesting traffic because it does not have the ability to specify destination addresses.

It is also possible to simply have one site (say a remote site) send everything through an IPsec VPN tunnel to the main site, yet the main site only sends traffic destined for that remote site through the VPN. This makes the configuration at the remote site fairly simple, and isolates the more advanced configuration to the main site.

NOTE Crypto access lists are sometimes called mirrored access lists. Each IPsec peer must have an extended access list that indicates interesting traffic. At a minimum, this interesting traffic must specify both source and destination IP addresses and can add protocols and ports for additional detail.

From an IP addressing perspective, what is interesting to one site (source/destination) is exactly opposite to the other site (destination/source). If one side indicates source/destination subnets as interesting, then the other site must reverse the source/destination subnets for its interesting traffic configuration. If one end uses subnets in the crypto ACL for source/destination and the other end uses individual IP addresses for source/destination, the interesting traffic is not mirrored and the IPsec tunnel will not work.

In Figure 13-7, one subnet from each site is considered interesting (due to the ACLs) and will be protected through the IPsec VPN tunnel. The remaining subnets cannot take advantage of the IPsec configuration.

Was this article helpful?

0 0

Post a comment