RE: Site2site between ASAs from Brian McGahan on 2012-07-11 (Ccielab archives 07/2012)

From: Brian McGahan <bmcgahan_at_ine.com>
Date: Wed, 11 Jul 2012 09:16:24 -0500

He's asking about ASA, that's why the ACL syntax is different. The two below lists are equal on ASA and IOS respectively:

ASA:
access-list PROXY permit icmp 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

IOS:
ip access-list extended PROXY
permit icmp 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

Also Proxy ACL is the same thing as saying interesting traffic. The term comes from the fact that the router is negotiating to do IPsec encryption on someone else's behalf, e.g. hosts on a LAN segment, hence they are negotiating IPsec for them in proxy. The debugs on IOS and ASA use the term proxy identities to refer to the type of traffic that the ACL defines, hence the proxy ACL.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#proxy

HTH,

Brian McGahan, CCIE #8593 (R&S/SP/Security)
bmcgahan_at_INE.com

Internetwork Expert, Inc.
http://www.INE.com

-----Original Message-----
From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
Sent: Wednesday, July 11, 2012 6:28 AM
To: Ryan West
Cc: Brian McGahan; amin; ccielab_at_groupstudy.com
Subject: Re: Site2site between ASAs

Okay, so we're speaking the same language.

Regards,
Jay McMickle- CCIE #35355 (R&S)
Sent from iJay

On Jul 11, 2012, at 8:18 AM, Ryan West <rwest_at_zyedge.com> wrote:

> Proxy ACL is the same as interesting traffic ACL. Depending on which platform you use, you'll see references to proxy ACLs and proxy id mismatches. Netscreen is a vendor that comes to mind. Named or not standard ACL means source only to me, which is why I asked about the interesting traffic ACL.
>
> Sent from handheld
>
> On Jul 11, 2012, at 9:09 AM, "Jay McMickle" <jay.mcmickle_at_yahoo.com> wrote:
>
>> I meant standard. What is a proxy ACL? I thought that was just a named ACL, but are you implying that it has a meaning and applied differently?
>>
>> School me, please.
>>
>> Regards,
>> Jay McMickle- CCIE #35355 (R&S)
>> Sent from iJay
>>
>> On Jul 11, 2012, at 7:56 AM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>>> Jay,
>>>
>>> What do you mean by standard ACL. Is that in the context of a proxy acl, or just in general.
>>>
>>> Sent from handheld
>>>
>>> On Jul 11, 2012, at 7:11 AM, "Jay McMickle" <jay.mcmickle_at_yahoo.com> wrote:
>>>
>>>> I'll have to lab this up. Why is it that a standard IP ACL picks up ICMP even though it's not specified?
>>>>
>>>> He has since updated and stated that he was only using ICMP as an example, but I'm still interested in the ICMP portion. Lab time.
>>>>
>>>> Thanks, Brian.
>>>>
>>>> Regards,
>>>> Jay McMickle- CCIE #35355 (R&S)
>>>> Sent from iJay
>>>>
>>>> On Jul 10, 2012, at 9:38 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:
>>>>
>>>>> In your proxy ACL you just need to specify only ICMP traffic, e.g. access-list PROXY_ACL permit icmp 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0.
>>>>>
>>>>> Some cases will not work with the proxy ACL if you get too specific, but just using ICMP for the classifier should be fine.
>>>>>
>>>>>
>>>>> HTH,
>>>>>
>>>>> Brian McGahan, CCIE #8593 (R&S/SP/Security) bmcgahan_at_INE.com
>>>>>
>>>>> Internetwork Expert, Inc.
>>>>> http://www.INE.com
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
>>>>> Behalf Of amin
>>>>> Sent: Saturday, July 07, 2012 6:18 AM
>>>>> To: ccielab_at_groupstudy.com
>>>>> Subject: Site2site between ASAs
>>>>>
>>>>> Hi experts,
>>>>>
>>>>> Site2site VPN between two ASAs, let us assume I want to encrypt the ICMP, and leave the two LANs traffic between the two site unencrypted.
>>>>>
>>>>> LAN 1 172.16.1.1/24, LAN 2 172.16.2.0/24 == ICMP encrypted
>>>>>
>>>>> LAN 1 172.16.1.1/24, LAN 2 172.16.2.0/24 == Other traffic
>>>>> unencrypted
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Amin
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> __________________________________________________________________
>>>>> _____ Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> __________________________________________________________________
>>>>> _____ Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> ___________________________________________________________________
>>>> ____ Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 11 2012 - 09:16:24 ART

This archive was generated by hypermail 2.2.0 : Wed Aug 01 2012 - 15:55:23 ART