Re: IPSec tunneled packets and ACL on the Outside

As stated eaelier in thread, Sysopt conn permit-VPN basically tells
the adaptive security algorithm to automatically inspect VPN traffic
that is terminated on the asa without the need for an acl. (Acls are
still needed for VPN traffic passing thru the fw.)

Without this you need acls to permit traffic for the VPN security
protocols isakmp ESP ah nat-t etc.

Sent from my iPhone

On 30 Apr 2009, at 23:11, "Darren Johnson" <dazza_johnson_at_yahoo.co.uk>
wrote:

> Hi there. Does this mean without *sysopt connection permit vpn* we
> need to
> configure an access list entry permitting the VPN protocols (ISAKMP,
> ESP,
> etc) or the protocols that are protected within the IPSEC packet?
>
> For example, say HTTP is IPSEC encrypted. Does the acl need to permit
> ISAKMP, ESP etc and/or the HTTP protocol?
>
> Thanks
> Darren
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> Farrukh Haroon
> Sent: 30 April 2009 10:05
> To: Sadiq Yakasai
> Cc: Cisco certification; Cisco certification
> Subject: Re: IPSec tunneled packets and ACL on the Outside
>
> Please see inline
>
> On Wed, Apr 29, 2009 at 10:36 PM, Sadiq Yakasai
> <sadiqtanko_at_gmail.com>wrote:
>
>> Hi Guys,
>>
>> Just reading a book here, I came across this statement which I
>> havent come
>> across (at least yet). It says when IPSec tunneled traffic hits the
> Outside
>> interface of an ASA, if you have do not have *sysopt connection
>> permit-vpn*configured and decided to allow the VPN (related) traffic
>> by opening up the
>> Outside-IN ACL on the Outside interface, then you also NEED TO
>> ALLOW the
>> tuneled traffic through this ACL.
>>
>
> The book is 100% correct, if you don't have the sysopt connection
> permit-vpn command all VPN tunnels terminated ON the firewall need
> to be
> permitted in the interface ACL. With this command, the ACL applied
> on the
> VPN terminating interface is not checked for encrypted traffic
> (terminating
> on the firewall itself).
>
>>
>> In other words, these IPSec tunneled traffic will be hitting the
> Outside-IN
>> ACL twice before traversing the ASA; the encrypted and the tunneled
>> traffic.
>> How true is this? Has anyone encountered this in their configuration
>> endeaviours please? Could this behaviour be specific to a version
>> of code
>> ran on the ASA??
>>
>
> The "in other words" interpretation is incorrect,the author never
> stated
> that in the first paragraph :),
> with sysopt = no acl check, without sysopt = acl check ONCE.
>
> In older IOS versions there used to be a double ACL check but not on
> the
> finesse OS (PIX/ASA).
>
> Regards
>
> Farrukh
>
>
>>
>> Thanks in advance,
>> Sadiq
>>
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
 

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
> ___________________________________________________________
> Win tickets to the 2006 FIFA World Cup Germany with Yahoo!
> Messenger. http://advision.webevents.yahoo.com/fifaworldcup_uk/

Blogs and organic groups at http://www.ccie.net
Received on Fri May 01 2009 - 07:11:04 ART