RE: IPSec tunneled packets and ACL on the Outside

Cool, so in my example I would only need to permit http?

-----Original Message-----
From: Ryan West [mailto:rwest_at_zyedge.com]
Sent: 30 April 2009 23:27
To: Darren Johnson; 'Farrukh Haroon'; 'Sadiq Yakasai'
Cc: 'Cisco certification'; 'Cisco certification'
Subject: RE: IPSec tunneled packets and ACL on the Outside

Invert your interesting traffic ACL and that becomes your ACL for permitting
traffic. It's up to you to allow TCP/ICMP/UDP etc. The crypto portions are
handled by the firewall and do not need to allowed, as they are enabled when
you type crypto isakmp enable outside and crypto map blah outside (or
whatever the command is).

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Darren Johnson
Sent: Thursday, April 30, 2009 6:12 PM
To: 'Farrukh Haroon'; 'Sadiq Yakasai'
Cc: 'Cisco certification'; 'Cisco certification'
Subject: RE: IPSec tunneled packets and ACL on the Outside

Hi there. Does this mean without *sysopt connection permit vpn* we need to
configure an access list entry permitting the VPN protocols (ISAKMP, ESP,
etc) or the protocols that are protected within the IPSEC packet?

For example, say HTTP is IPSEC encrypted. Does the acl need to permit
ISAKMP, ESP etc and/or the HTTP protocol?

Thanks
Darren

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Farrukh Haroon
Sent: 30 April 2009 10:05
To: Sadiq Yakasai
Cc: Cisco certification; Cisco certification
Subject: Re: IPSec tunneled packets and ACL on the Outside

Please see inline

On Wed, Apr 29, 2009 at 10:36 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:

> Hi Guys,
>
> Just reading a book here, I came across this statement which I havent come
> across (at least yet). It says when IPSec tunneled traffic hits the
Outside
> interface of an ASA, if you have do not have *sysopt connection
> permit-vpn*configured and decided to allow the VPN (related) traffic
> by opening up the
> Outside-IN ACL on the Outside interface, then you also NEED TO ALLOW the
> tuneled traffic through this ACL.
>

The book is 100% correct, if you don't have the sysopt connection
permit-vpn command all VPN tunnels terminated ON the firewall need to be
permitted in the interface ACL. With this command, the ACL applied on the
VPN terminating interface is not checked for encrypted traffic (terminating
on the firewall itself).

>
> In other words, these IPSec tunneled traffic will be hitting the
Outside-IN
> ACL twice before traversing the ASA; the encrypted and the tunneled
> traffic.
> How true is this? Has anyone encountered this in their configuration
> endeaviours please? Could this behaviour be specific to a version of code
> ran on the ASA??
>

The "in other words" interpretation is incorrect,the author never stated
that in the first paragraph :),
with sysopt = no acl check, without sysopt = acl check ONCE.

In older IOS versions there used to be a double ACL check but not on the
finesse OS (PIX/ASA).

Regards

Farrukh

>
> Thanks in advance,
> Sadiq
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

        
        
                
Received on Thu Apr 30 2009 - 23:42:34 ART