Just base your ACLs on the native IP traffic protected by IPSec. You don't
need to worry about permitted the actual IPSec packets themselves, the
"adaptive security algorithm" handles these
Regards
Justin
-----Original Message-----
From: Stong, Ian C [GMG] [mailto:Ian.C.Stong@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 03, 2002 7:46 AM
To: security@xxxxxxxxxxxxxx
Subject: PIX IPSEC/VPN and remote client question - looking for a working
config
Hi,
I need to setup a PIX so that some outside users can tie in securely using
IPSEC and a VPN client while others will tie in in the clear and be subject
solely to ACL's (and lastly - the general public will have access to ports
80 and 443).
My confusion exists in the configuration of what if any ACL to use to tell
the VPN what packets to look at for IPSEC and what packets not to look at.
My sample config follows:
ip address outside 150.140.130.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip local pool vpn_users 192.168.2.0-192.168.2.254
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set whatever esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map mymap 10 set transform-set whatever
crypto map mymap 10 ipsec-isakmp dynamic cisco
crypto map mymap interface outside
isakmp enable outside
isakmp key privatekey address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local vpn_users outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
Hope that makes sense....
