Re: IPSec question with CBAC

From: yuki hisano (yukyhisano@hotmail.com)
Date: Wed Nov 19 2003 - 03:46:06 GMT-3

• Next message: Nguyen Hoang Long: "Re: IPSec question with CBAC"
• Previous message: Todor Georgiev: "RE: CCIE 12321, CCIE 11111, CCIE 12345"
• Maybe in reply to: JamesGEF: "IPSec question with CBAC"
• Next in thread: Nguyen Hoang Long: "Re: IPSec question with CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Isnt that supposed to be "access-list 101 permit 50 any host 207.1.1.1
(esp)"?
ESP's protocol # is 50.

Yuki

>From: "JamesGEF" <jamesgef@sympatico.ca>
>Reply-To: "JamesGEF" <jamesgef@sympatico.ca>
>To: <ccielab@groupstudy.com>
>Subject: IPSec question with CBAC
>Date: Tue, 18 Nov 2003 21:45:36 -0500
>
>I'm simulating a situation where I have a router that is connected to the
>Internet and to a private LAN. Now, NAT translates inside private IP
>address
>to public IP. I've also configured CBAC so that all outbound connections
>are
>permitted back in and no inbound connections are permitted on the outside
>interface other than IPSec packets:
>
>interface fa0/0
> descripton Outside interface
> ip address 207.1.1.1 255.255.255.0
> ip nat outside
> ip access-group 101 in
>
>access-list 101 permit 51 any host 207.1.1.1 (esp)
>access-list 101 permit 51 any host 207.1.1.1 (ahp)
>access-list 101 permit udp any host 207.1.1.1 eq 500 (isakmp)
>
>Now, my VPN tunnel comes up fine. I could make outbound connections from
>my
>private lan to the other end of VPN connection.
>
>When remote end tries to initiate a connection to local lan of this router,
>access-list 101 denies the packets (I see them in my log). I have to
>explicitly allow the connections from the remote VPN lan on ACL 101.
>
>On the PIX, there's a command "sysopt connection permit-ipsec" that removes
>the need to create external access-lists for VPN connections. Is there
>such a
>command for Cisco IOS routers?
>
>What's the best practice in this situation so that I don't have to create
>ACL
>entries on my public interface permitting access to private LAN?
>
>Thanks!
>
>James
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Nguyen Hoang Long: "Re: IPSec question with CBAC"
• Previous message: Todor Georgiev: "RE: CCIE 12321, CCIE 11111, CCIE 12345"
• Maybe in reply to: JamesGEF: "IPSec question with CBAC"
• Next in thread: Nguyen Hoang Long: "Re: IPSec question with CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:14 GMT-3