I'm setting up an IPSec VPN using a Cisco router. The relevant part of the config:
crypto map MYVPN 10 ipsec-isakmp
set peer 173.1.2.3
set transform-set my-transform
set pfs group2
match address 103
access-list 103 permit ip 84.9.208.128 0.0.0.63 192.168.77.0 0.0.0.255
access-list 103 permit ip 192.168.77.0 0.0.0.255 84.9.208.128 0.0.0.63
access-list 103 permit ip 84.9.206.104 0.0.0.7 192.168.77.0 0.0.0.255
access-list 103 permit ip 192.168.77.0 0.0.0.255 84.9.206.104 0.0.0.7
This allows traffic to/from 192.168.77.0/24 behind the peer. However, I also have another subnet, 192.168.122.0/24 behind the same peer that I would like to allow access. So I've had to modify my ACL to include 192.168.0.0/16:
access-list 103 permit ip 84.9.208.128 0.0.0.63 192.168.0.0 0.0.255.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 84.9.208.128 0.0.0.63
access-list 103 permit ip 84.9.206.104 0.0.0.7 192.168.0.0 0.0.255.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 84.9.206.104 0.0.0.7
Ideally, I don't want this large of a range specified. Is there any way I can specifically configure 192.168.77.0/24 and 192.168.122.0/24?
Either I missed something or you just add to the existing ACL new network as class C in the same manner, then #clear cry ipsec& clear cry sa to renew the site and it will come up with new encryption domain/net added ...
access-list 103 permit ip 84.9.208.128 0.0.0.63 192.168.122.0 0.0.0.255 access-list 103 permit ip 192.168.122.0 0.0.0.255 84.9.208.128 0.0.0.63