From: JamesGEF (jamesgef@sympatico.ca)
Date: Wed Nov 19 2003 - 09:57:11 GMT-3
That's exactly what I would like. By adding the permit statements on the
outside interface ACL towards my inside network for incoming IPSec traffic
loosens the security.
Guess there's no other way....
James
----- Original Message -----
From: "Nguyen Hoang Long" <ng-hlong@hn.vnn.vn>
To: "yuki hisano" <yukyhisano@hotmail.com>; <jamesgef@sympatico.ca>;
<ccielab@groupstudy.com>
Sent: Wednesday, November 19, 2003 6:22 PM
Subject: Re: IPSec question with CBAC
> Yuki,
> There's some way to work around, but what James means here is how to
bypass
> ACL checking once the traffic comes in from IPSec tunnel.
> Is that really what you want, James ?
>
> Long
> CCNA/CCNP/CCIE bootcamp
> www.vn-experts.net.vn
>
> ----- Original Message -----
> From: "yuki hisano" <yukyhisano@hotmail.com>
> To: <jamesgef@sympatico.ca>; <ccielab@groupstudy.com>
> Sent: Tuesday, November 18, 2003 10:46 PM
> Subject: Re: IPSec question with CBAC
>
>
> > Isnt that supposed to be "access-list 101 permit 50 any host 207.1.1.1
> > (esp)"?
> > ESP's protocol # is 50.
> >
> > Yuki
> >
> >
> > >From: "JamesGEF" <jamesgef@sympatico.ca>
> > >Reply-To: "JamesGEF" <jamesgef@sympatico.ca>
> > >To: <ccielab@groupstudy.com>
> > >Subject: IPSec question with CBAC
> > >Date: Tue, 18 Nov 2003 21:45:36 -0500
> > >
> > >I'm simulating a situation where I have a router that is connected to
the
> > >Internet and to a private LAN. Now, NAT translates inside private IP
> > >address
> > >to public IP. I've also configured CBAC so that all outbound
connections
> > >are
> > >permitted back in and no inbound connections are permitted on the
outside
> > >interface other than IPSec packets:
> > >
> > >interface fa0/0
> > > descripton Outside interface
> > > ip address 207.1.1.1 255.255.255.0
> > > ip nat outside
> > > ip access-group 101 in
> > >
> > >access-list 101 permit 51 any host 207.1.1.1 (esp)
> > >access-list 101 permit 51 any host 207.1.1.1 (ahp)
> > >access-list 101 permit udp any host 207.1.1.1 eq 500 (isakmp)
> > >
> > >Now, my VPN tunnel comes up fine. I could make outbound connections
from
> > >my
> > >private lan to the other end of VPN connection.
> > >
> > >When remote end tries to initiate a connection to local lan of this
> router,
> > >access-list 101 denies the packets (I see them in my log). I have to
> > >explicitly allow the connections from the remote VPN lan on ACL 101.
> > >
> > >On the PIX, there's a command "sysopt connection permit-ipsec" that
> removes
> > >the need to create external access-lists for VPN connections. Is there
> > >such a
> > >command for Cisco IOS routers?
> > >
> > >What's the best practice in this situation so that I don't have to
create
> > >ACL
> > >entries on my public interface permitting access to private LAN?
> > >
> > >Thanks!
> > >
> > >James
> > >
> > >_______________________________________________________________________
> > >Please help support GroupStudy by purchasing your study materials from:
> > >http://shop.groupstudy.com
> > >
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> > _________________________________________________________________
> > The new MSN 8: smart spam protection and 2 months FREE*
> > http://join.msn.com/?page=features/junkmail
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:14 GMT-3