Hi,
I'm configuring remote access VPN using Cisco VPN Client to an IOS router.
Things are working fine, i.e. using dynamic crypto map, XAUTH, and group 
policy to push dns, DHCP ip address, etc. to the client.
One thing I haven't been able to do is to apply ACL to filter the VPN 
traffic - this is to restrict VPN clients access to only certain ports on 
our internal server.
I know that in the ASA/PIX, a filter list can be applied to the group 
policy, but i just can't find similar functionality in the IOS group policy.

Any help appreciated!
TIA.

Uto cen schrieb:
> One thing I haven't been able to do is to apply ACL to filter the VPN 
> traffic - this is to restrict VPN clients access to only certain ports on 
> our internal server.

IOS 12.3(8)T introduced Crypto Clear Text ACLs.

crypto map sample_cmap 100 ipsec-isakmp
  set ip access-group 110 in
  set ip access-group 111 out


So access-list 110 will filter (or permit!) traffic independant from the 
inbound ACL on the interface with the crypto map
access-list 111 is able to restrict the traffic from router into the 
IPsec tunnel.

-- 
Uli

Thanks! Exactly what I needed to know.
And that should work for dynamic maps as well?


"Uli Link" <VonRechts.NachLinks@usenet.arcornews.de> wrote in message
news:45b901f3$0$27609$9b4e6d93@newsspool2.arcor-online.net...
> Uto cen schrieb:
>> One thing I haven't been able to do is to apply ACL to filter the VPN
>> traffic - this is to restrict VPN clients access to only certain ports on
>> our internal server.
>
> IOS 12.3(8)T introduced Crypto Clear Text ACLs.
>
> crypto map sample_cmap 100 ipsec-isakmp
>  set ip access-group 110 in
>  set ip access-group 111 out
>
>
> So access-list 110 will filter (or permit!) traffic independant from the
> inbound ACL on the interface with the crypto map
> access-list 111 is able to restrict the traffic from router into the IPsec
> tunnel.
>
> -- 
> Uli