From: CXP Peter (peter@cyscoexpert.com)
Date: Wed Dec 10 2003 - 00:55:58 GMT-3
You still need to permit it, though. Traffic will be decrypted and compared
with the ACL that is applied to the physical interface on which it arrives.
So the ACL will be checked twice and you will need to permit ISAKMP, ESP
protocol and the subnet traffic as well. Here are my matches when I go
across the tunnel:
After ACL counter is cleared and no tunnel up:
Firewall#show access-li SECURITY
Extended IP access list SECURITY
deny 53 any any
deny 55 any any
deny 77 any any
deny pim any any
permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 <---
...
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
permit udp any any eq isakmp <---
permit esp any any <---
deny icmp any any echo
deny tcp any any eq 135
deny ip any any log
After successful telnet connection over IPSec tunnel:
Firewall#show access-li SECURITY
Extended IP access list SECURITY
deny 53 any any
deny 55 any any
deny 77 any any
deny pim any any
permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 (33 matches) <---
...
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
permit udp any any eq isakmp (12 matches) <---
permit esp any any (31 matches)
<---
deny icmp any any echo
deny tcp any any eq 135
deny ip any any log
_____________________________
Peter
#7247 (R&S, Security, SP)
CyscoExpert Corp.
4433 W. Touhy Ave. Suite 410
Lincolnwood, IL 60712
Phone (847) 674-3392
Toll Free (866) CyscoXP (297-2697)
Fax (847) 674-2625
----- Original Message -----
From: <Vazman@aol.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, December 09, 2003 3:44 PM
Subject: Site-to-Site VPN - ACL question
> Hello,
>
> I have a question..
>
> 10.100.10.0/24--Router1--INTERNET--Router2--10.100.20.0/24
>
> We have a site-to-site VPN over the Internet between two Cisco routers and
are using private addressing on the ethernet. An inbound ACL is applied on
the serial interface of both routers. On R1 do we need to permit the
ethernet segment of R2?
> I was almost positive that we dont have to..as I would imagine that all
traffic between the two LANs goes through the VPN tunnel.
>
> Thanks
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:38 GMT-3