[c-nsp] IPSec and FW on the same router

Per Carlson lists at ip4all.net
Tue Jun 27 04:37:56 EDT 2006 

Hi.

I'm trying to do simultaneous IPSec-tunneling and firewalling on a
router. Unfortunatelly, the firewall doesn't seam to open up a
"hole" for the incoming traffic as expected. That makes me wonder
in which order things are done. The router in question is a 2801
running 12.4.8.

Here is the network setup:

-                                    -
|                                    |
|   +----+                  +----+   | 
+---+ R1 +--- Routed net ---+ R2 +---+
|   +----+                  +----+   |
|    10.1.0.1          10.2.0.1      |
-                                    -
10.0.0.0/24                     10.3.0.0/24

I'm only managing the R1 router, but it's there the problems
arises.

The R1 config are this:

ip inspect audit-trail
ip inspect name FW isakmp audit-trail on
!
crypto map ipsec 1 ipsec-isakmp
 set peer 10.2.0.1
 set transform-set <transform>
 match address ipsec_acl
!
interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip address 10.0.0.1 255.255.255.0
 ip tcp adjust-mss 1400
!
interface FastEthernet0/0.2
 encapsulation dot1Q 11
 ip address 10.1.0.1 255.255.255.252
 ip access-group outside_in in
 ip access-group outside_out out
 ip inspect FW out
 crypto map ipsec
!
ip route 10.2.0.1 255.255.255.255 10.1.0.2
ip route 10.3.0.0 255.255.255.0 10.1.0.2
!
ip access-list extended outside_in
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any packet-too-big
 permit icmp any any unreachable
 deny   ip any any
!
ip access-list extended outside_out
 permit udp  host 10.1.0.1 host 10.2.0.1 eq isakmp
 permit esp  host 10.1.0.1 host 10.2.0.1
!
ip access-list extended ipsec_acl
 permit ip host 10.0.0.10 10.3.0.0 0.0.0.255


I was hoping that 'ip inspect isakmp' would catch the outgoing
ISAKMP traffic and automagically open a hole for the return
traffic, but not. Manually opening up for ISAKMP traffic from the
host 10.2.0.1 in 'outside_in' doesn't help either...

By doing 'tcpdump' of the traffic leaving and entering R1, I can
see that R1 replies all returning ISAKMP traffic with a "ICMP Host
Unreachable" message. 

So, at last, the questions:

1) Where in the path lies the firewalling (before or after IPSec)?

2) Will the access-lists handle encrypted or unencrypted traffic,
   i.e should the opening be for traffic between 10.0.0.0/10.3.0.0
   or 10.1.0.1/10.2.0.1?   

2) Does 'ip inspect isakmp' work? Can't find any references about
   it in the Config Guide for 12.4...

3) Are the use of sub-interfaces causing this problem?

Note 1: The IP-adresses used in this example are obfuscated, in
reality they are all official and routeable over Internet. 

Note 2: The setup is a client/server scenario. The IPSec-tunnel
will be triggered by traffic from the 10.0.0.0-net only.

-- 
Per Carlson, Sr. Network Developer

More information about the cisco-nsp mailing list