[c-nsp] IPSec and FW on the same router

David West david.h.west at gmail.com
Tue Jun 27 22:07:51 EDT 2006 

Yep, the outside ACL should have something like this:

permit esp host my_peer host me
permit udp host my_peer host me eq 4500

-DW

On 6/27/06, Church, Chuck <cchurch at netcogov.com> wrote:
>
> I'm pretty sure that CBAC won't inspect traffic generated by the router
> (in this case, the outbound IPSec).  You need to open up that inbound
> ACL for that crypto peer, probably the ESP and ISAKMP you mentioned.
>
>
> Chuck Church
> Network Engineer
> CCIE #8776, MCNE, MCSE
> Netco Government Services
> Enterprise Network Engineering
> Home Office - 864-335-9473
> Cell - 864-266-3978
> cchurch at netcogov.com
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Per Carlson
> Sent: Tuesday, June 27, 2006 8:38 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IPSec and FW on the same router
>
> Hi again.
>
> I didn't make my self completely clear in one of the questions:
>
> >interface FastEthernet0/0.2
> > encapsulation dot1Q 11
> > ip address 10.1.0.1 255.255.255.252
> > ip access-group outside_in in
> > ip access-group outside_out out
> > ip inspect FW out
> > crypto map ipsec
> >!
> >ip access-list extended outside_in
> > permit icmp any any echo-reply
> > permit icmp any any time-exceeded
> > permit icmp any any packet-too-big
> > permit icmp any any unreachable
> > deny   ip any any
> >!
> >ip access-list extended outside_out
> > permit udp  host 10.1.0.1 host 10.2.0.1 eq isakmp
> > permit esp  host 10.1.0.1 host 10.2.0.1
> >!
> >ip access-list extended ipsec_acl
> > permit ip host 10.0.0.10 10.3.0.0 0.0.0.255
> >
> >2) Will the access-lists handle encrypted or unencrypted traffic,
> >   i.e should the opening be for traffic between 10.0.0.0/10.3.0.0
> >   or 10.1.0.1/10.2.0.1?
>
> That question regards the ACL's on the interface it self
> (outside_in and outside_out), not the ACL that triggers IPSec
> (ipsec_acl).
>
> --
> Per Carlson, Sr. Network Developer
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> Netco Government Services has recently acquired Multimax and is changing
> its name to Multimax Inc.
> Visit http://www.multimax.com for more information.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Progress isn't made by early risers. It's made by lazy men trying to find
easier ways to do something.
  - Robert Heinlein

More information about the cisco-nsp mailing list