GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: IPSec question with CBAC posted 11/19/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Marcelo,

Thanks for the suggestions.  I was just wondering if there were any other
way.  I've got it working with GRE and it's the only way.

Thanks for your suggestions...they've been very helpful.

Brgds,

James

----- Original Message ----- 
From: "Medina, Marcelo [IT]" <marcelo.medina@xxxxxxxxxxxxx>
To: "'JamesGEF'" <jamesgef@xxxxxxxxxxxx>
Cc: "Nguyen Hoang Long" <ng-hlong@xxxxxxxxx>; "yuki hisano"
<yukyhisano@xxxxxxxxxxx>; <ccielab@xxxxxxxxxxxxxx>
Sent: Wednesday, November 19, 2003 8:24 AM
Subject: RE: IPSec question with CBAC


> James,
>
> http://www.cisco.com/warp/public/556/5.html should explain the flow.  For
> IPSec, the packet is checked twice against the access list.  Once to
verify
> if esp is allowed (ip-prot=50) and then another to verify if the
unencrypted
> packet is allowed.
>
> Unfortunately you did not display the IPSec configuration.  But I'd guess
> you are either doing point-to-point IPSec or remote-access.
>
> If you are doing point-to-point Ipsec, you must have defined the remote
end
> networks.  So you also need to add to acl 101 the traffic from those
remote
> networks to your internal private.  For point-to-point, here is how you
can
> add security.  Don't do IPSec on top of the native IP packet.  Create a
GRE
> tunnel, then IPSec the GRE tunnel.  So acl 101 would allow IPsec and GRE.
> Then on you GRE tunnel interface you can add other acls to filter what
your
> remote end devices are allowed to do.
>
> If you are doing remote-access, the you need to add to acl 101 packets
> sourced from your pool to your internal privates.  You can add security
with
> extra authentication to buy you some comfort of having the traffic allowed
> into your inbound network.  Sorry for not having more comfort there, it
may
> have been better to have your remote-access vpn behind your border router.
>
> If you want to post the IPSec config, I may be able to give more ideas.  I
> would recommend you make the end-point for the IPSec something else behind
> the Internet router though.
>
> Rgds,
>
> Marcelo Medina
> CitiPlex Engineering
> 301 680-3993
>
> -----Original Message-----
> From: JamesGEF [mailto:jamesgef@xxxxxxxxxxxx]
> Sent: Wednesday, November 19, 2003 7:57 AM
> To: Nguyen Hoang Long; yuki hisano; ccielab@xxxxxxxxxxxxxx
> Subject: Re: IPSec question with CBAC
>
>
> That's exactly what I would like.  By adding the permit statements on the
> outside interface ACL towards my inside network for incoming IPSec traffic
> loosens the security.
>
> Guess there's no other way....
>
>
> James
>
>
> ----- Original Message ----- 
> From: "Nguyen Hoang Long" <ng-hlong@xxxxxxxxx>
> To: "yuki hisano" <yukyhisano@xxxxxxxxxxx>; <jamesgef@xxxxxxxxxxxx>;
> <ccielab@xxxxxxxxxxxxxx>
> Sent: Wednesday, November 19, 2003 6:22 PM
> Subject: Re: IPSec question with CBAC
>
>
> > Yuki,
> > There's some way to work around, but what James means here is how to
> bypass
> > ACL checking once the traffic comes in from IPSec tunnel.
> > Is that really what you want, James ?
> >
> > Long
> > CCNA/CCNP/CCIE bootcamp
> > www.vn-experts.net.vn
> >
> > ----- Original Message ----- 
> > From: "yuki hisano" <yukyhisano@xxxxxxxxxxx>
> > To: <jamesgef@xxxxxxxxxxxx>; <ccielab@xxxxxxxxxxxxxx>
> > Sent: Tuesday, November 18, 2003 10:46 PM
> > Subject: Re: IPSec question with CBAC
> >
> >
> > > Isnt that supposed to be "access-list 101 permit 50 any host 207.1.1.1
> > > (esp)"?
> > > ESP's protocol # is 50.
> > >
> > > Yuki
> > >
> > >
> > > >From: "JamesGEF" <jamesgef@xxxxxxxxxxxx>
> > > >Reply-To: "JamesGEF" <jamesgef@xxxxxxxxxxxx>
> > > >To: <ccielab@xxxxxxxxxxxxxx>
> > > >Subject: IPSec question with CBAC
> > > >Date: Tue, 18 Nov 2003 21:45:36 -0500
> > > >
> > > >I'm simulating a situation where I have a router that is connected to
> the
> > > >Internet and to a private LAN.  Now, NAT translates inside private IP
> > > >address
> > > >to public IP.  I've also configured CBAC so that all outbound
> connections
> > > >are
> > > >permitted back in and no inbound connections are permitted on the
> outside
> > > >interface other than IPSec packets:
> > > >
> > > >interface fa0/0
> > > >   descripton Outside interface
> > > >   ip address 207.1.1.1 255.255.255.0
> > > >   ip nat outside
> > > >   ip access-group 101 in
> > > >
> > > >access-list 101 permit 51 any host 207.1.1.1 (esp)
> > > >access-list 101 permit 51 any host 207.1.1.1 (ahp)
> > > >access-list 101 permit udp any host 207.1.1.1 eq 500 (isakmp)
> > > >
> > > >Now, my VPN tunnel comes up fine.  I could make outbound connections
> from
> > > >my
> > > >private lan to the other end of VPN connection.
> > > >
> > > >When remote end tries to initiate a connection to local lan of this
> > router,
> > > >access-list 101 denies the packets (I see them in my log).  I have to
> > > >explicitly allow the connections from the remote VPN lan on ACL 101.
> > > >
> > > >On the PIX, there's a command "sysopt connection permit-ipsec" that
> > removes
> > > >the need to create external access-lists for VPN connections.  Is
there
> > > >such a
> > > >command for Cisco IOS routers?
> > > >
> > > >What's the best practice in this situation so that I don't have to
> create
> > > >ACL
> > > >entries on my public interface permitting access to private LAN?
> > > >
> > > >Thanks!
> > > >
> > > >James
> > > >
> > >
>_______________________________________________________________________
> > > >Please help support GroupStudy by purchasing your study materials
from:
> > > >http://shop.groupstudy.com
> > > >
> > > >Subscription information may be found at:
> > > >http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _________________________________________________________________
> > > The new MSN 8: smart spam protection and 2 months FREE*
> > > http://join.msn.com/?page=features/junkmail
> > >
> > >
_______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html