Re: IPSec question with CBAC

From: Nguyen Hoang Long (ng-hlong@hn.vnn.vn)
Date: Wed Nov 19 2003 - 20:22:56 GMT-3

• Next message: Ken.Farrington@barclayscapital.com: "RE: aLaw and uLaw"
• Previous message: Bilal Dar: "3550 required"
• Maybe in reply to: JamesGEF: "IPSec question with CBAC"
• Next in thread: JamesGEF: "Re: IPSec question with CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yuki,
There's some way to work around, but what James means here is how to bypass
ACL checking once the traffic comes in from IPSec tunnel.
Is that really what you want, James ?

Long
CCNA/CCNP/CCIE bootcamp
www.vn-experts.net.vn

----- Original Message -----
From: "yuki hisano" <yukyhisano@hotmail.com>
To: <jamesgef@sympatico.ca>; <ccielab@groupstudy.com>
Sent: Tuesday, November 18, 2003 10:46 PM
Subject: Re: IPSec question with CBAC

> Isnt that supposed to be "access-list 101 permit 50 any host 207.1.1.1
> (esp)"?
> ESP's protocol # is 50.
>
> Yuki
>
>
> >From: "JamesGEF" <jamesgef@sympatico.ca>
> >Reply-To: "JamesGEF" <jamesgef@sympatico.ca>
> >To: <ccielab@groupstudy.com>
> >Subject: IPSec question with CBAC
> >Date: Tue, 18 Nov 2003 21:45:36 -0500
> >
> >I'm simulating a situation where I have a router that is connected to the
> >Internet and to a private LAN. Now, NAT translates inside private IP
> >address
> >to public IP. I've also configured CBAC so that all outbound connections
> >are
> >permitted back in and no inbound connections are permitted on the outside
> >interface other than IPSec packets:
> >
> >interface fa0/0
> > descripton Outside interface
> > ip address 207.1.1.1 255.255.255.0
> > ip nat outside
> > ip access-group 101 in
> >
> >access-list 101 permit 51 any host 207.1.1.1 (esp)
> >access-list 101 permit 51 any host 207.1.1.1 (ahp)
> >access-list 101 permit udp any host 207.1.1.1 eq 500 (isakmp)
> >
> >Now, my VPN tunnel comes up fine. I could make outbound connections from
> >my
> >private lan to the other end of VPN connection.
> >
> >When remote end tries to initiate a connection to local lan of this
router,
> >access-list 101 denies the packets (I see them in my log). I have to
> >explicitly allow the connections from the remote VPN lan on ACL 101.
> >
> >On the PIX, there's a command "sysopt connection permit-ipsec" that
removes
> >the need to create external access-lists for VPN connections. Is there
> >such a
> >command for Cisco IOS routers?
> >
> >What's the best practice in this situation so that I don't have to create
> >ACL
> >entries on my public interface permitting access to private LAN?
> >
> >Thanks!
> >
> >James
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ken.Farrington@barclayscapital.com: "RE: aLaw and uLaw"
• Previous message: Bilal Dar: "3550 required"
• Maybe in reply to: JamesGEF: "IPSec question with CBAC"
• Next in thread: JamesGEF: "Re: IPSec question with CBAC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:14 GMT-3