GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IPSec question with CBAC posted 11/19/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


James,

http://www.cisco.com/warp/public/556/5.html should explain the flow.  For
IPSec, the packet is checked twice against the access list.  Once to verify
if esp is allowed (ip-prot=50) and then another to verify if the unencrypted
packet is allowed.

Unfortunately you did not display the IPSec configuration.  But I'd guess
you are either doing point-to-point IPSec or remote-access.

If you are doing point-to-point Ipsec, you must have defined the remote end
networks.  So you also need to add to acl 101 the traffic from those remote
networks to your internal private.  For point-to-point, here is how you can
add security.  Don't do IPSec on top of the native IP packet.  Create a GRE
tunnel, then IPSec the GRE tunnel.  So acl 101 would allow IPsec and GRE.
Then on you GRE tunnel interface you can add other acls to filter what your
remote end devices are allowed to do.

If you are doing remote-access, the you need to add to acl 101 packets
sourced from your pool to your internal privates.  You can add security with
extra authentication to buy you some comfort of having the traffic allowed
into your inbound network.  Sorry for not having more comfort there, it may
have been better to have your remote-access vpn behind your border router.

If you want to post the IPSec config, I may be able to give more ideas.  I
would recommend you make the end-point for the IPSec something else behind
the Internet router though.

Rgds,

Marcelo Medina
CitiPlex Engineering
301 680-3993 

-----Original Message-----
From: JamesGEF [mailto:jamesgef@xxxxxxxxxxxx]
Sent: Wednesday, November 19, 2003 7:57 AM
To: Nguyen Hoang Long; yuki hisano; ccielab@xxxxxxxxxxxxxx
Subject: Re: IPSec question with CBAC


That's exactly what I would like.  By adding the permit statements on the
outside interface ACL towards my inside network for incoming IPSec traffic
loosens the security.

Guess there's no other way....


James


----- Original Message ----- 
From: "Nguyen Hoang Long" <ng-hlong@xxxxxxxxx>
To: "yuki hisano" <yukyhisano@xxxxxxxxxxx>; <jamesgef@xxxxxxxxxxxx>;
<ccielab@xxxxxxxxxxxxxx>
Sent: Wednesday, November 19, 2003 6:22 PM
Subject: Re: IPSec question with CBAC


> Yuki,
> There's some way to work around, but what James means here is how to
bypass
> ACL checking once the traffic comes in from IPSec tunnel.
> Is that really what you want, James ?
>
> Long
> CCNA/CCNP/CCIE bootcamp
> www.vn-experts.net.vn
>
> ----- Original Message ----- 
> From: "yuki hisano" <yukyhisano@xxxxxxxxxxx>
> To: <jamesgef@xxxxxxxxxxxx>; <ccielab@xxxxxxxxxxxxxx>
> Sent: Tuesday, November 18, 2003 10:46 PM
> Subject: Re: IPSec question with CBAC
>
>
> > Isnt that supposed to be "access-list 101 permit 50 any host 207.1.1.1
> > (esp)"?
> > ESP's protocol # is 50.
> >
> > Yuki
> >
> >
> > >From: "JamesGEF" <jamesgef@xxxxxxxxxxxx>
> > >Reply-To: "JamesGEF" <jamesgef@xxxxxxxxxxxx>
> > >To: <ccielab@xxxxxxxxxxxxxx>
> > >Subject: IPSec question with CBAC
> > >Date: Tue, 18 Nov 2003 21:45:36 -0500
> > >
> > >I'm simulating a situation where I have a router that is connected to
the
> > >Internet and to a private LAN.  Now, NAT translates inside private IP
> > >address
> > >to public IP.  I've also configured CBAC so that all outbound
connections
> > >are
> > >permitted back in and no inbound connections are permitted on the
outside
> > >interface other than IPSec packets:
> > >
> > >interface fa0/0
> > >   descripton Outside interface
> > >   ip address 207.1.1.1 255.255.255.0
> > >   ip nat outside
> > >   ip access-group 101 in
> > >
> > >access-list 101 permit 51 any host 207.1.1.1 (esp)
> > >access-list 101 permit 51 any host 207.1.1.1 (ahp)
> > >access-list 101 permit udp any host 207.1.1.1 eq 500 (isakmp)
> > >
> > >Now, my VPN tunnel comes up fine.  I could make outbound connections
from
> > >my
> > >private lan to the other end of VPN connection.
> > >
> > >When remote end tries to initiate a connection to local lan of this
> router,
> > >access-list 101 denies the packets (I see them in my log).  I have to
> > >explicitly allow the connections from the remote VPN lan on ACL 101.
> > >
> > >On the PIX, there's a command "sysopt connection permit-ipsec" that
> removes
> > >the need to create external access-lists for VPN connections.  Is there
> > >such a
> > >command for Cisco IOS routers?
> > >
> > >What's the best practice in this situation so that I don't have to
create
> > >ACL
> > >entries on my public interface permitting access to private LAN?
> > >
> > >Thanks!
> > >
> > >James
> > >
> > >_______________________________________________________________________
> > >Please help support GroupStudy by purchasing your study materials from:
> > >http://shop.groupstudy.com
> > >
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> > _________________________________________________________________
> > The new MSN 8: smart spam protection and 2 months FREE*
> > http://join.msn.com/?page=features/junkmail
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

_______________________________________________________________________
Please help support GroupStudy by purchasing your study materials from:
http://shop.groupstudy.com

Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html