11-05-2010 10:40 PM - edited 03-11-2019 12:05 PM
When IPSEC traffic is de-crypted on a cisco 877 Dialer interface, what is the next step? If the Dialer interface is a member of the 'outside-zone' (ZBF) and the packet SA is 10.1.1.1 and the DA is 10.2.1.1 (which is part of the 'inside-zone'), does the packet go through the 'service-policy' associated with the zone-pair out-to-in? The reason I ask the question is b/c I have a class-map associated with the out-to-in zone-pair that drops all 10.x.x.x, 172.16.x.x, 192.168.x.x, but once my private traffic that just traversed the IPSEC tunnel hits the out-to-in zone-pair it is blocked.
How do I block RFC 1918 on my outside-zone without killing my RFC 1918 tunnel traffic?
11-06-2010 12:43 PM
Hello,
I hope you are doing great. You can create a class map, matching an access list from the remote network to the inside network, that traffic will have the inspect action, then, create another class map with the rest of 1918 rfc addreses and put a drop action.
On the policy map, make sure that the first class map is the one where you are permitting the traffic from the remote network and as a second class map on that policy map put the one that is blocking the rest of the private ranges.
If you have any doubts please let me know.
Mike.
11-06-2010 09:01 PM
Mike,
I do have what you mentioned in place already, I just didn't think this order of operation was correct. So I basically can't block ALL RFC 1918 on my DSL interface if I have a site-to-site tunnel using a private network?
Thanks for the response.
11-06-2010 09:15 PM
Hello,
I think I do understand your concern now, and the answer will be no. If someone directly connected on the outside comes with an address that is on the IP scheme of the tunnel (or in Zone based perspective, allowed from outside to inside), he will be allowed to come in. However, is very unlikely that someone from the internet can come with an IP address that is not routable, it should die on the ISP network.
Hope this helps.
If you have any doubt please let me know.
Thanks
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide