Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)

From: Albert Lu (albert_ccie@xxxxxxxxx)
Date: Sat Oct 27 2001 - 21:44:48 GMT-3

• Next message: Knellinger, Mark: "RE: DLSW largest frame"
• Previous message: Mas Kato: "RE: What's allowed in the lab?"
• Next in thread: Ron Royston: "Re: Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)"
• Maybe reply: Ron Royston: "Re: Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hello Group,

In the Fatkid IPSEC+NAT lab, it specifies an access list on the border
routers between the private addresses and the public addresses where NAT is
running an access list that only allows IPSEC traffic and pings to go
through.

access-list 100 permit esp host 207.122.1.5 host 207.122.2.3
access-list 100 permit tcp host 207.122.1.5 host 207.122.2.3 eq 50
access-list 100 permit tcp host 207.122.1.5 host 207.122.2.3 eq 51
access-list 100 permit udp host 207.122.1.5 host 207.122.2.3 eq isakmp

Could someone care to give a quick explanation of filtering traffic so only
IPSEC would pass through it?

The lab only used IPSEC, if I was to use IPSEC encrypted GRE tunnel what
would I need to add to the access-list? Or is it when you do an encrypted
GRE tunnel, the packets that flow out are IPSEC packets anyway, since the
GRE is inside the IPSEC.

Thanks

Albert

• Next message: Knellinger, Mark: "RE: DLSW largest frame"
• Previous message: Mas Kato: "RE: What's allowed in the lab?"
• Next in thread: Ron Royston: "Re: Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)"
• Maybe reply: Ron Royston: "Re: Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:26 GMT-3