Solved: Re: Encryption: "Apply crypto map to interface "

Mark_Matthias · ‎09-02-2005

Is this the best forum for discussing encryption?

I want to set up a simple aes encryption between an ISDN port Bri1/0 on a 2611xm and a 2811.

I want to encrypt everything except telnet on the ISDN link between these routers. I want to be able to telent between the routers just in case the encryption locks up. That is my clients requirement.

Question #1 : Do I apply the crypto map to the Ethernet port (as I have seen in many examples) or on the ISDN connection?

Question #2: If I apply the crypto map to the ISDN connection, do I apply the crypto map to the BRI port or the dialer?

Question #3: Assuming both routers and all segments use the 10.0.0.0 network and are not connected to anything else, would the following access list work?

access list 110

deny ip any any eq telnet

permit ip any any

Thanks,

Mark

cslefort · ‎09-02-2005

Hi Mark,

Apply the crypto map to your outgoing interface (Dialer)

You will likely lock the router up by putting

a permit ip any any in your crypto access-list

you probably don't even need to add the deny telnet entry in your access-list if you are willing to initiate your session from the router

i would suggest

ip access-list extended to-remote

deny ip any any eq telnet

permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

The remote site would have a mirror

ip access-list extended to-headoffice

deny ip any any eq telnet

permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

View solution in original post

Richard Burts · ‎09-02-2005

Mark

I do not have experience with doing IPSec over ISDN. My answer was based on my experience of doing IPSec over physical interfaces and of doing IPSec over virtual interfaces/tunnel interfaces. I have gone back and looked up a few things and it looks like my advice to put the crypto map on physical interfaces and not on virtual interfaces is correct for tunnels but not correct for ISDN. I agree that you should put the map on the dialer interface.

HTH

Rick

HTH

Rick

View solution in original post

cslefort · ‎09-02-2005

Hi Mark,

Apply the crypto map to your outgoing interface (Dialer)

You will likely lock the router up by putting

a permit ip any any in your crypto access-list

you probably don't even need to add the deny telnet entry in your access-list if you are willing to initiate your session from the router

i would suggest

ip access-list extended to-remote

deny ip any any eq telnet

permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

The remote site would have a mirror

ip access-list extended to-headoffice

deny ip any any eq telnet

permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

Richard Burts · ‎09-02-2005

Mark

I believe that this is an ok forum for discussing your question. There is also a set of Virtual Private Networks forums including a General one which would also be appropriate. But since you are here lets talk about your question here.

1) In my experience the crypto map should be configured on the outbound interface. In many examples the outbound interface is the Ethernet so they show the crypto map on the Ethernet. In your case I believe it would be on the ISDN.

2) In current versions of IOS the crypto map is applied to physical interfaces and not to virtual interfaces. In some older versions of IOS the crypto map was applied to both the physical interface and virtual interface. I believe it would be applied to the BRI for you.

3) For traditional IPSec Cisco suggests not using the any keyword in the ACL that identifies traffic to be encrypted. Right now I do not remember the reasons, but I would suggest that you rework the ACL and permit source addresses and destination addresses. Of course you can always try it the way that you have it configured and see what happens.

HTH

Rick

HTH

Rick

Mark_Matthias · ‎09-02-2005

Thanks for the quick replies!

I've revised my access list. Will this work?

Access list 110

deny tcp any any eq telnet

permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

I could use this on both sides. Couldn't I ?

Can either of you document or provide more information on your choice for where to place the Crypto Map? Bri port vs. dialer? Or Rick, Would you concur that it should be on the ISDN Dialer?

Thanks again,

Sincerely!

Mark

Richard Burts · ‎09-02-2005

Mark

I do not have experience with doing IPSec over ISDN. My answer was based on my experience of doing IPSec over physical interfaces and of doing IPSec over virtual interfaces/tunnel interfaces. I have gone back and looked up a few things and it looks like my advice to put the crypto map on physical interfaces and not on virtual interfaces is correct for tunnels but not correct for ISDN. I agree that you should put the map on the dialer interface.

HTH

Rick

HTH

Rick

cslefort · ‎09-06-2005

I don't use ISDN very much, but this link indicates that the crypto map should be on the dialer interface

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a0080094c1f.shtml

you could use permit 10.0.0.0 0.255.255.255 as your crypto access-list on both peers, but good practice would be to use the specific mask. This would become apparent if you were to try to build a second VPN tunnel with a 10.x.x.x network on the LAN

Claude