From: Richard Dumoulin (richard.dumoulin@vanco.es)
Date: Thu Mar 18 2004 - 18:57:40 GMT-3
Hi thank you Nguyen. I have made some tests and found differences between a
7206 and a 837 !!
The 7206 behavior was as expected, as it would first deencrypt the traffic
and then check the input acl. But the 837 would first check the acl. It may
be software/platform dependent then. So my conclusion is "trust but verify"
as a famous chess grand master said once :))
Regards
--Richard
-----Mensaje original-----
De: Nguyen Hoang Long [mailto:ng-hlong@hn.vnn.vn]
Enviado el: jueves, 18 de marzo de 2004 7:36
Para: ccielab@groupstudy.com
Asunto: Re: Security
yes for Router, check the order of operation:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080
133ddd.shtml#topic1
For PIX fw, that's not true by default, ACL bypass function for traffic
coming from IPSec tunnel is automatically turned on (default).
Vietnam CCNA/CCNP/CCIE Bootcamp
www.vn-experts.net.vn
www.vnexperts.net
----- Original Message -----
From: "Richard Dumoulin" <richard.dumoulin@vanco.es>
To: <ccielab@groupstudy.com>
Sent: Wednesday, March 17, 2004 9:13 PM
Subject: Security
> Hi all,
>
> I have a question about security. Suppose we have a Hub router that is
> receiving dynamic IPSec tunnels from several remote routers. I thought
that
> only allowing isakmp, esp and ahp in an acl would suffice to secure the
> router but I have noticed that first the acl is checked and then the
> encryption is done. Does this mean that an acl statement should be done
for
> every user application inside the tunnels ?
>
> Thx
>
> --Richard
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Apr 01 2004 - 08:15:35 GMT-3