Configuring an Optional Interface Access List
You might want to have an interface ACL on the VPN interface. Typically,
you would permit only IPsec-related traffic, and perhaps routing protocol
traffic, in and out that interface. Keep in mind the following port numbers
when configuring the ACL:
■ ESP is IP protocol 50.
■ AH is IP protocol 51.
■ IKE uses UDP port 500.
■ NAT Traversal uses UDP port 4500.
The source and destination addresses should be the IP addresses of the
outgoing VPN interfaces. The following example shows an ACL that permits
IPsec traffic between two hosts:
IPSEC_RTR(config)#access-list 101 permit ahp host 10.1.1.2 host
10.1.1.1
IPSEC_RTR(config)#access-list 101 permit esp host 10.1.1.2 host
10.1.1.1
IPSEC_RTR(config)#access-list 101 permit udp host 10.1.1.2 eq
isakmp host 10.1.1.2
IPSEC_RTR(config)#access-list 101 permit udp host 10.1.1.2 host
10.1.1.2 eq isakmp
!
IPSEC_RTR(config)#interface s 0/0/0
IPSEC_RTR(config-if)#ip address 10.1.1.2 255.255.255.252
IPSEC_RTR(config-if)#ip access-group 101 out