Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1583
Views
0
Helpful
12
Replies

vpn traffic & fields

Go to solution
secureIT
Level 4
Level 4

‎06-03-2012 11:19 PM - edited ‎03-11-2019 04:15 PM

Hi Netpro Team,

Could you please answer the queries...

Query1 :- May i know what are the fields get attached to, while a vpn traffic is passing through a tunnel....         

Query2 :- which is the mechanism used to calculate the number of ACLs in asa.

Query3 :- Difference between router and firewall ACL..

regards()

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-04-2012 05:50 AM

Query 1: do you mean which protocol and ports is VPN traffic? I assume that you mean IPSec VPN, so they are normally UDP/500, UDP/4500, ESP, and/or AH

Query 2: the number of lines in the output of "show access-list", which includes the expansion of ACL if object-group is created.

Query 3: cisco router uses wild card mask while cisco firewall uses netmask. Router ACL is stateless, while Firewall ACL is stateful, which means you only need to configure ACL in one direction, ie: where the traffic is initiated.

Hope that answers your questions.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to secureIT

‎06-16-2012 08:57 PM

With GRE tunnels, it would be:

[GRE: source: 172.16.1.1 destination: 172.16.1.2] + [Payload: source: 10.10.1.0/24 + destination: 10.10.2.0/24]

Traffic will be routed through the GRE tunnel, and at the remote GRE tunnel interface will strip off the GRE header, and will be routed towards the destination subnet.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-04-2012 05:50 AM

Query 1: do you mean which protocol and ports is VPN traffic? I assume that you mean IPSec VPN, so they are normally UDP/500, UDP/4500, ESP, and/or AH

Query 2: the number of lines in the output of "show access-list", which includes the expansion of ACL if object-group is created.

Query 3: cisco router uses wild card mask while cisco firewall uses netmask. Router ACL is stateless, while Firewall ACL is stateful, which means you only need to configure ACL in one direction, ie: where the traffic is initiated.

Hope that answers your questions.

0 Helpful

Go to solution
secureIT
Level 4
Level 4
In response to Jennifer Halim

‎06-05-2012 05:40 AM

Thanks Jennifer,

I was looking for the answer - Router ACL is stateless, while Firewall ACL is stateful !!!

For the first query, please confirm if the below would suit.

[ipheader] + [AH-ESP] + [Payload]

     where ipheader = ip.src + ip.srcport + ip.dst + ip.dstport

And the traffic flow of an ipsec traffic would be as given below ??

reciev-pkt -> ingress interface -> received pkt-> check conn table -> check xlate->check acl-> vpn-crypto-match -> check inpsect-csc->check nat-ip-header->check ips->egress interface->check routing->check L2-addr -> transmit packet

Thanks in advance...

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to secureIT

‎06-05-2012 06:54 AM

[ipheader] only includes ip.src + ip.dst as IP doesn't have ports

Here is a doc on AH and ESP packet for your reference:

http://www.cisco.com/en/US/partner/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2

Here is a packet flow through ASA firewall:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml

0 Helpful

Go to solution
secureIT
Level 4
Level 4
In response to Jennifer Halim

‎06-05-2012 06:57 AM

ooops sorry..i knew. ip header will have only ip and tcp header has ports..sorry.

below link is not working..for ah/esp

http://www.cisco.com/en/US/partner/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2    

0 Helpful

Go to solution
secureIT
Level 4
Level 4
In response to secureIT

‎06-05-2012 09:48 AM

sorry, it does not open, it gives Forbidden File or Application..

could you pls download the same and share...

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to secureIT

‎06-05-2012 06:36 PM

Pls try to close your browser, or try with another browser as that URL is public and you should be able to access it:

http://www.cisco.com/en/US/customer/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2

0 Helpful

Go to solution
secureIT
Level 4
Level 4
In response to Jennifer Halim

‎06-07-2012 06:28 AM

Hi,

Can you please tell me, what are the field get attached to the ipheader, when the ipsec traffic is going thru a GRE tunnel.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to secureIT

‎06-07-2012 06:01 PM

For GRE over IPSec, it would be:

[ipheader] + [ESP] + [GRE] + [Payload]

0 Helpful

Go to solution
secureIT
Level 4
Level 4
In response to Jennifer Halim

‎06-16-2012 08:51 PM

Thanks for the update...

if we talk more specifically, for example, there is a gre tunnel with the peers, 172.16.1.1-2 and the two networks in both ends are 10.10.1.0/24 and 10.10.2.0/24 with ospf running.. Then what are all the fields get added in here if we go in deep...

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to secureIT

‎06-16-2012 08:57 PM

With GRE tunnels, it would be:

[GRE: source: 172.16.1.1 destination: 172.16.1.2] + [Payload: source: 10.10.1.0/24 + destination: 10.10.2.0/24]

Traffic will be routed through the GRE tunnel, and at the remote GRE tunnel interface will strip off the GRE header, and will be routed towards the destination subnet.

0 Helpful

Go to solution
secureIT
Level 4
Level 4
In response to Jennifer Halim

‎06-16-2012 08:59 PM

thanks for the update.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card