GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home

BookStore

StudyNotes

Links

[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: port level access-lists in PIX
From: senthil <sen@xxxxxxxx>
Date: Wed, 29 May 2002 04:01:50 -0700
In-reply-to: <NFBBJAFPBDOPIJAHHBACCEFECNAA.garethb@sports.com>
References: <NFBBJAFPBDOPIJAHHBACCEFECNAA.garethb@sports.com>
User-agent: Internet Messaging Program (IMP) 3.0

wondering if its possible to implement a port level outgoing access-list and in 
PIX for the traffic received from another interface using an ipsec tunnel, and 
translated using a pool.

pix does only suggest inbound access lists & nat 0 with no port level 
filtering..sounds weired isn't it.. you may help.

cheers! sen




Quoting Gareth Bromley <garethb@xxxxxxxxxx>:

> Yep you missed something.
> 
> PKI based IPSec works roughly as follows:
> 1. Create the public/private certifications for each router
> 2. Give the public cert to the CA for signing into a certifcate
> 3. When you create an IPSec connection that requires certs to athenticate
> each end of the IPSec connection and you wish to use a CA to prove
> validity,
> then the devices will present each other there public certs which each
> device will then validate via the CA. The CA is there solely to be a
> trusted
> party that can validate a cert and also provide a list of revoked
> certificates.
> 4. If all is well, Phase 1 completes and Phase 2 starts .......
> 
> Hope this clarifies what goes on (high level)
> 
> If you have the money/will buy the CSVPN coursebook, it is one of the best
> books (and I have a lot of them) I've seen on the subject, very well
> explained and detailed.
> 
> --Gareth Bromley
> CCNP CSS1 CCIP Security CCSA CCSE RHCE
> Senior Network Engineer, Sports.com Ltd
> 
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]On Behalf Of
> Roberts, Larry
> Sent: 29 May 2002 05:38
> To: 'Keyur Shah'; Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
> Subject: RE: Isakmp key exchange question
> 
> 
> OK,
> I am really confused.
> You say the cert must be configured beforehand, then you state that during
> phase 1 process they exchange certs..
> Am I missing something here,or are you saying I must request the cert
> twice?
> 
> Thanks
> 
> Larry
> 
> -----Original Message-----
> From: Keyur Shah [mailto:kshah@xxxxxxxxxxxxxxxxxx]
> Sent: Tuesday, May 28, 2002 11:38 PM
> To: 'Roberts, Larry'; Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
> Subject: RE: Isakmp key exchange question
> 
> 
> cert must be requested beforehand from CA. keep CRL optional, unless you
> have it properly configured. during phase 1 process, they will exchange
> certs.
> 
> -Keyur Shah-
> CCIE# 4799 (Security; Routing and Switching)
> CISSP,ccsa,css1,scsa,scna,mct,mcse,cni,mcne
> Hello Computers
> "Say Hello to Your Future!"
> http://www.hellocomputers.com <http://www.hellocomputers.com>
> Toll-Free: 1.877.794.3556
> 
> 
> -----Original Message-----
> From: Roberts, Larry [mailto:Larry.Roberts@xxxxxxxxxxxx]
> Sent: Tuesday, May 28, 2002 9:20 PM
> To: 'Keyur Shah'; Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
> Subject: RE: Isakmp key exchange question
> 
> 
> Im using the Windows 2K cert server.
> 
> Wouldn't the router request the cert. automatically?
> >From what I have read, the router ( router_G) will request the cert from
> the
> second router ( router_d) This cert will have be verified by the CA.
> Is that not correct ?
> 
> 
> 
> Thanks
> 
> Larry
> 
> -----Original Message-----
> From: Keyur Shah [mailto:kshah@xxxxxxxxxxxxxxxxxx]
> Sent: Tuesday, May 28, 2002 11:23 PM
> To: 'Roberts, Larry'; Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
> Subject: RE: Isakmp key exchange question
> 
> 
> 
> Larry,
> 
> You do need to request cert of the adjacent router. Also make sure your
> clock is set correctly. Which CA are you using?
> 
> Thanks
> 
> -Keyur Shah-
> CCIE# 4799 (Security; Routing and Switching)
> CISSP,ccsa,css1,scsa,scna,mct,mcse,cni,mcne
> Hello Computers
> "Say Hello to Your Future!"
> http://www.hellocomputers.com <http://www.hellocomputers.com>
> Toll-Free: 1.877.794.3556
> Fremont: 510.795.6815
> Santa Clara: 408.496.0801
> Europe: +(44)20 7900 3011
> Fax: 510.291.2250
> 
> 
> -----Original Message-----
> From: Roberts, Larry [mailto:Larry.Roberts@xxxxxxxxxxxx
> <mailto:Larry.Roberts@xxxxxxxxxxxx> ]
> Sent: Tuesday, May 28, 2002 7:41 PM
> To: Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
> Subject: Isakmp key exchange question
> 
> 
> OK,
> I am attempting to create an IPSec tunnel with isakmp rsa-sig key exchange.
> 
> I have generated the keys, authenticated the ca and enrolled.
> I am using hostname authentication.
> When I attempt to form the tunnel, nothing happens.
> A debug shows the following:
> 
> 01:29:32: ISAKMP: received ke message (1/1)
> 01:29:32: ISAKMP: local port 500, remote port 500
> 01:29:32: ISAKMP (0:1): No Cert or pre-shared address key.
> 01:29:32: ISAKMP (0:1): Can not start Main mode
> 01:29:32: ISAKMP (0:1): Can not start aggressive mode.
> 01:29:32: ISAKMP (0:1): purging SA.
> 01:29:32: ISAKMP (0:1): purging node 1351240705
> 01:30:02: ISAKMP: received ke message (3/1)
> 01:30:02: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src
> 192. 168.148.54 dst 192.168.148.53 for SPI 0x0
> 
> I have verified reachability to all devices.
> I am assuming that I need to do something else to request the cert of the
> adjacent router, but I cant for the life of me figure out what. Shouldn't
> the router request the cert from the other router, then verify with the CA
> ?
> 
> No matter which router that I am doing this from, I get the same error.
> 
> And for the relevant config:
> 
> crypto ca identity CASERVER
>  enrollment mode ra
>  enrollment url http://explabdc01:80/certsrv/mscep/mscep.dll
> <http://explabdc01:80/certsrv/mscep/mscep.dll>
> 
>  crl optional
> !
> ! Keys ommitted
> !
> crypto isakmp policy 10
> crypto isakmp identity hostname
> !
> !
> crypto ipsec transform-set TRANSFORM esp-des esp-md5-hmac
> !
> crypto map MYMAP local-address FastEthernet0/0
> crypto map MYMAP 10 ipsec-isakmp
>  set peer 192.168.148.53
>  set transform-set TRANSFORM
>  match address 100
> 
> Only thing that I can imagine that I need would be the Query URL, but every
> LDAP address I place in there doesn't work and all the examples I look at
> say that this is optional.
> 
> Any help is appreciated.
> 
> 
> Thanks
> 
> Larry __________________________________________________________________
> To unsubscribe from the SECURITY list, send a message to
> majordomo@xxxxxxxxxxxxxx with the body containing: unsubscribe SECURITY
> __________________________________________________________________
> To unsubscribe from the SECURITY list, send a message to
> majordomo@xxxxxxxxxxxxxx with the body containing:
> unsubscribe SECURITY
> __________________________________________________________________
> To unsubscribe from the SECURITY list, send a message to
> majordomo@xxxxxxxxxxxxxx with the body containing:
> unsubscribe SECURITY
> 


cheers - sen
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY

References:
- RE: Isakmp key exchange question
  - From: Gareth Bromley

Prev by Date: RE: Isakmp key exchange question
Next by Date: CE VPN client
Previous by thread: RE: Isakmp key exchange question
Next by thread: RE: Isakmp key exchange question
Index(es):
- Date
- Thread