Re: IPSec question with CBAC

From: Nguyen Hoang Long (ng-hlong@hn.vnn.vn)
Date: Wed Nov 19 2003 - 18:53:36 GMT-3

• Next message: Pun, Alec CL: "RE: passive-interface default"
• Previous message: yuki hisano: "Re: IPSec question with CBAC"
• Maybe in reply to: JamesGEF: "IPSec question with CBAC"
• Next in thread: Nguyen Hoang Long: "Re: IPSec question with CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

No, even in IOS 12.3 T, I can not find any command which has the same
function as PIX's "sysopt connection permit-ipsec"

Long
CCNA/CCNP/CCIE Bootcamp
www.vn-experts.net.vn

----- Original Message -----
From: "JamesGEF" <jamesgef@sympatico.ca>
To: <ccielab@groupstudy.com>
Sent: Tuesday, November 18, 2003 6:45 PM
Subject: IPSec question with CBAC

> I'm simulating a situation where I have a router that is connected to the
> Internet and to a private LAN. Now, NAT translates inside private IP
address
> to public IP. I've also configured CBAC so that all outbound connections
are
> permitted back in and no inbound connections are permitted on the outside
> interface other than IPSec packets:
>
> interface fa0/0
> descripton Outside interface
> ip address 207.1.1.1 255.255.255.0
> ip nat outside
> ip access-group 101 in
>
> access-list 101 permit 51 any host 207.1.1.1 (esp)
> access-list 101 permit 51 any host 207.1.1.1 (ahp)
> access-list 101 permit udp any host 207.1.1.1 eq 500 (isakmp)
>
> Now, my VPN tunnel comes up fine. I could make outbound connections from
my
> private lan to the other end of VPN connection.
>
> When remote end tries to initiate a connection to local lan of this
router,
> access-list 101 denies the packets (I see them in my log). I have to
> explicitly allow the connections from the remote VPN lan on ACL 101.
>
> On the PIX, there's a command "sysopt connection permit-ipsec" that
removes
> the need to create external access-lists for VPN connections. Is there
such a
> command for Cisco IOS routers?
>
> What's the best practice in this situation so that I don't have to create
ACL
> entries on my public interface permitting access to private LAN?
>
> Thanks!
>
> James
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Pun, Alec CL: "RE: passive-interface default"
• Previous message: yuki hisano: "Re: IPSec question with CBAC"
• Maybe in reply to: JamesGEF: "IPSec question with CBAC"
• Next in thread: Nguyen Hoang Long: "Re: IPSec question with CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:14 GMT-3