From: JamesGEF (jamesgef@sympatico.ca)
Date: Tue Nov 18 2003 - 23:45:36 GMT-3
I'm simulating a situation where I have a router that is connected to the
Internet and to a private LAN. Now, NAT translates inside private IP address
to public IP. I've also configured CBAC so that all outbound connections are
permitted back in and no inbound connections are permitted on the outside
interface other than IPSec packets:
interface fa0/0
descripton Outside interface
ip address 207.1.1.1 255.255.255.0
ip nat outside
ip access-group 101 in
access-list 101 permit 51 any host 207.1.1.1 (esp)
access-list 101 permit 51 any host 207.1.1.1 (ahp)
access-list 101 permit udp any host 207.1.1.1 eq 500 (isakmp)
Now, my VPN tunnel comes up fine. I could make outbound connections from my
private lan to the other end of VPN connection.
When remote end tries to initiate a connection to local lan of this router,
access-list 101 denies the packets (I see them in my log). I have to
explicitly allow the connections from the remote VPN lan on ACL 101.
On the PIX, there's a command "sysopt connection permit-ipsec" that removes
the need to create external access-lists for VPN connections. Is there such a
command for Cisco IOS routers?
What's the best practice in this situation so that I don't have to create ACL
entries on my public interface permitting access to private LAN?
Thanks!
James
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:14 GMT-3