Re: Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)

From: Ron Royston (ccie6824@xxxxxxxxxxx)
Date: Sun Oct 28 2001 - 14:11:36 GMT-3

• Next message: Hansang Bae: "Re: IBM 8228 Token Ring MAU"
• Previous message: kenairs: "PRI isdn config"
• Maybe in reply to: Albert Lu: "Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I don't have the Fatkid labs, but I can speak generally about this. There
are a few reasons to use GRE/IPSec tunnels vs. only IPSec tunnels. IPSec
only tunnels cannot carry multiprotocol and multicast traffic (and, in case
you ever have the joy of working with the 5002 concentrator, IPSec only
tunnels don't don't get past Phase2 in the ISAKMP setup with a Cisco router,
again, you've gotta use GRE/IPSec tunneling). Your representation of the
Fatkid question is confusing to me. If they wan for you to establish an
IPSec tunnel that only allows pings, then apply an access-list to your
crypto map that looks something like 'permit icmp NET1 0.0.0.255 NET2
0.0.0.255', then apply the transform sets, crypto-map, etc. and your up.
When you configure a GRE/IPSec tunnel, it is IPSec traffic that is carried
inside a GRE packet, not the other way around. Below is a great link that I
think may help you.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c
/scprt4/scdencry.htm#xtocid297880

<><><><><><><><><><><><><>
Ron Royston
Avnet Enterprise Solutions
http://www.nsd.avnet.com/

>From: "Albert Lu" <albert_ccie@yahoo.com>
>Reply-To: "Albert Lu" <albert_ccie@yahoo.com>
>To: <ccielab@groupstudy.com>
>Subject: Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)
>Date: Sun, 28 Oct 2001 11:44:48 +1100
>
>Hello Group,
>
>In the Fatkid IPSEC+NAT lab, it specifies an access list on the border
>routers between the private addresses and the public addresses where NAT is
>running an access list that only allows IPSEC traffic and pings to go
>through.
>
>access-list 100 permit esp host 207.122.1.5 host 207.122.2.3
>access-list 100 permit tcp host 207.122.1.5 host 207.122.2.3 eq 50
>access-list 100 permit tcp host 207.122.1.5 host 207.122.2.3 eq 51
>access-list 100 permit udp host 207.122.1.5 host 207.122.2.3 eq isakmp
>
>Could someone care to give a quick explanation of filtering traffic so only
>IPSEC would pass through it?
>
>The lab only used IPSEC, if I was to use IPSEC encrypted GRE tunnel what
>would I need to add to the access-list? Or is it when you do an encrypted
>GRE tunnel, the packets that flow out are IPSEC packets anyway, since the
>GRE is inside the IPSEC.
>
>Thanks
>
>Albert
>
>

• Next message: Hansang Bae: "Re: IBM 8228 Token Ring MAU"
• Previous message: kenairs: "PRI isdn config"
• Maybe in reply to: Albert Lu: "Fatkid IPSEC+NAT Lab (Innerworkings of IPSEC)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:26 GMT-3