[c-nsp] IPSec and FW on the same router
Per Carlson
lists at ip4all.net
Tue Jun 27 08:37:57 EDT 2006
Hi again.
I didn't make my self completely clear in one of the questions:
>interface FastEthernet0/0.2
> encapsulation dot1Q 11
> ip address 10.1.0.1 255.255.255.252
> ip access-group outside_in in
> ip access-group outside_out out
> ip inspect FW out
> crypto map ipsec
>!
>ip access-list extended outside_in
> permit icmp any any echo-reply
> permit icmp any any time-exceeded
> permit icmp any any packet-too-big
> permit icmp any any unreachable
> deny ip any any
>!
>ip access-list extended outside_out
> permit udp host 10.1.0.1 host 10.2.0.1 eq isakmp
> permit esp host 10.1.0.1 host 10.2.0.1
>!
>ip access-list extended ipsec_acl
> permit ip host 10.0.0.10 10.3.0.0 0.0.0.255
>
>2) Will the access-lists handle encrypted or unencrypted traffic,
> i.e should the opening be for traffic between 10.0.0.0/10.3.0.0
> or 10.1.0.1/10.2.0.1?
That question regards the ACL's on the interface it self
(outside_in and outside_out), not the ACL that triggers IPSec
(ipsec_acl).
--
Per Carlson, Sr. Network Developer
More information about the cisco-nsp
mailing list