Re: IPSec question with CBAC

From: JamesGEF (jamesgef@sympatico.ca)
Date: Wed Nov 19 2003 - 10:36:56 GMT-3

Marcelo,

Thanks for the suggestions. I was just wondering if there were any other
way. I've got it working with GRE and it's the only way.

Thanks for your suggestions...they've been very helpful.

Brgds,

James

----- Original Message -----
From: "Medina, Marcelo [IT]" <marcelo.medina@citigroup.com>
To: "'JamesGEF'" <jamesgef@sympatico.ca>
Cc: "Nguyen Hoang Long" <ng-hlong@hn.vnn.vn>; "yuki hisano"
<yukyhisano@hotmail.com>; <ccielab@groupstudy.com>
Sent: Wednesday, November 19, 2003 8:24 AM
Subject: RE: IPSec question with CBAC

> James,
>
> http://www.cisco.com/warp/public/556/5.html should explain the flow. For
> IPSec, the packet is checked twice against the access list. Once to
verify
> if esp is allowed (ip-prot=50) and then another to verify if the
unencrypted
> packet is allowed.
>
> Unfortunately you did not display the IPSec configuration. But I'd guess
> you are either doing point-to-point IPSec or remote-access.
>
> If you are doing point-to-point Ipsec, you must have defined the remote
end
> networks. So you also need to add to acl 101 the traffic from those
remote
> networks to your internal private. For point-to-point, here is how you
can
> add security. Don't do IPSec on top of the native IP packet. Create a
GRE
> tunnel, then IPSec the GRE tunnel. So acl 101 would allow IPsec and GRE.
> Then on you GRE tunnel interface you can add other acls to filter what
your
> remote end devices are allowed to do.
>
> If you are doing remote-access, the you need to add to acl 101 packets
> sourced from your pool to your internal privates. You can add security
with
> extra authentication to buy you some comfort of having the traffic allowed
> into your inbound network. Sorry for not having more comfort there, it
may
> have been better to have your remote-access vpn behind your border router.
>
> If you want to post the IPSec config, I may be able to give more ideas. I
> would recommend you make the end-point for the IPSec something else behind
> the Internet router though.
>
> Rgds,
>
> Marcelo Medina
> CitiPlex Engineering
> 301 680-3993
>
> -----Original Message-----
> From: JamesGEF [mailto:jamesgef@sympatico.ca]
> Sent: Wednesday, November 19, 2003 7:57 AM
> To: Nguyen Hoang Long; yuki hisano; ccielab@groupstudy.com
> Subject: Re: IPSec question with CBAC
>
>
> That's exactly what I would like. By adding the permit statements on the
> outside interface ACL towards my inside network for incoming IPSec traffic
> loosens the security.
>
> Guess there's no other way....
>
>
> James
>
>
> ----- Original Message -----
> From: "Nguyen Hoang Long" <ng-hlong@hn.vnn.vn>
> To: "yuki hisano" <yukyhisano@hotmail.com>; <jamesgef@sympatico.ca>;
> <ccielab@groupstudy.com>
> Sent: Wednesday, November 19, 2003 6:22 PM
> Subject: Re: IPSec question with CBAC
>
>
> > Yuki,
> > There's some way to work around, but what James means here is how to
> bypass
> > ACL checking once the traffic comes in from IPSec tunnel.
> > Is that really what you want, James ?
> >
> > Long
> > CCNA/CCNP/CCIE bootcamp
> > www.vn-experts.net.vn
> >
> > ----- Original Message -----
> > From: "yuki hisano" <yukyhisano@hotmail.com>
> > To: <jamesgef@sympatico.ca>; <ccielab@groupstudy.com>
> > Sent: Tuesday, November 18, 2003 10:46 PM
> > Subject: Re: IPSec question with CBAC
> >
> >
> > > Isnt that supposed to be "access-list 101 permit 50 any host 207.1.1.1
> > > (esp)"?
> > > ESP's protocol # is 50.
> > >
> > > Yuki
> > >
> > >
> > > >From: "JamesGEF" <jamesgef@sympatico.ca>
> > > >Reply-To: "JamesGEF" <jamesgef@sympatico.ca>
> > > >To: <ccielab@groupstudy.com>
> > > >Subject: IPSec question with CBAC
> > > >Date: Tue, 18 Nov 2003 21:45:36 -0500
> > > >
> > > >I'm simulating a situation where I have a router that is connected to
> the
> > > >Internet and to a private LAN. Now, NAT translates inside private IP
> > > >address
> > > >to public IP. I've also configured CBAC so that all outbound
> connections
> > > >are
> > > >permitted back in and no inbound connections are permitted on the
> outside
> > > >interface other than IPSec packets:
> > > >
> > > >interface fa0/0
> > > > descripton Outside interface
> > > > ip address 207.1.1.1 255.255.255.0
> > > > ip nat outside
> > > > ip access-group 101 in
> > > >
> > > >access-list 101 permit 51 any host 207.1.1.1 (esp)
> > > >access-list 101 permit 51 any host 207.1.1.1 (ahp)
> > > >access-list 101 permit udp any host 207.1.1.1 eq 500 (isakmp)
> > > >
> > > >Now, my VPN tunnel comes up fine. I could make outbound connections
> from
> > > >my
> > > >private lan to the other end of VPN connection.
> > > >
> > > >When remote end tries to initiate a connection to local lan of this
> > router,
> > > >access-list 101 denies the packets (I see them in my log). I have to
> > > >explicitly allow the connections from the remote VPN lan on ACL 101.
> > > >
> > > >On the PIX, there's a command "sysopt connection permit-ipsec" that
> > removes
> > > >the need to create external access-lists for VPN connections. Is
there
> > > >such a
> > > >command for Cisco IOS routers?
> > > >
> > > >What's the best practice in this situation so that I don't have to
> create
> > > >ACL
> > > >entries on my public interface permitting access to private LAN?
> > > >
> > > >Thanks!
> > > >
> > > >James
> > > >
> > >
>_______________________________________________________________________
> > > >Please help support GroupStudy by purchasing your study materials
from:
> > > >http://shop.groupstudy.com
> > > >
> > > >Subscription information may be found at:
> > > >http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _________________________________________________________________
> > > The new MSN 8: smart spam protection and 2 months FREE*
> > > http://join.msn.com/?page=features/junkmail
> > >
> > >

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:14 GMT-3