[c-nsp] IPSec and FW on the same router

Church, Chuck cchurch at netcogov.com
Tue Jun 27 08:44:45 EDT 2006 

I'm pretty sure that CBAC won't inspect traffic generated by the router
(in this case, the outbound IPSec).  You need to open up that inbound
ACL for that crypto peer, probably the ESP and ISAKMP you mentioned. 


Chuck Church
Network Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services
Enterprise Network Engineering
Home Office - 864-335-9473 
Cell - 864-266-3978
cchurch at netcogov.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Per Carlson
Sent: Tuesday, June 27, 2006 8:38 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IPSec and FW on the same router

Hi again.

I didn't make my self completely clear in one of the questions:

>interface FastEthernet0/0.2
> encapsulation dot1Q 11
> ip address 10.1.0.1 255.255.255.252
> ip access-group outside_in in
> ip access-group outside_out out
> ip inspect FW out
> crypto map ipsec
>!
>ip access-list extended outside_in
> permit icmp any any echo-reply
> permit icmp any any time-exceeded
> permit icmp any any packet-too-big
> permit icmp any any unreachable
> deny   ip any any
>!
>ip access-list extended outside_out
> permit udp  host 10.1.0.1 host 10.2.0.1 eq isakmp
> permit esp  host 10.1.0.1 host 10.2.0.1
>!
>ip access-list extended ipsec_acl
> permit ip host 10.0.0.10 10.3.0.0 0.0.0.255
>
>2) Will the access-lists handle encrypted or unencrypted traffic,
>   i.e should the opening be for traffic between 10.0.0.0/10.3.0.0
>   or 10.1.0.1/10.2.0.1?   

That question regards the ACL's on the interface it self
(outside_in and outside_out), not the ACL that triggers IPSec
(ipsec_acl).

-- 
Per Carlson, Sr. Network Developer
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Netco Government Services has recently acquired Multimax and is changing its name to Multimax Inc.
Visit http://www.multimax.com for more information.

More information about the cisco-nsp mailing list