05-29-2003 05:16 AM - edited 02-21-2020 12:34 PM
I have a question to the forum,
Can you apply security to incoming ipsec traffic once it has been decrypted? I've done some research and can only come to this conclusion, with a LAN to LAN Vpn using the sysopt permit ipsec command you bypass all ACL checking (The inbound access-list or conduits applied to the outside interface) and can therefore apply no security to traffic coming into your internal network over the VPN no matter which interface the VPN terminates at. It is my understanding that instead of using the sysopt permit ipsec command you can allow protocol 50 (esp) into your firewall allowing the encrypted traffic to reach the firewall and be decrypted BUT can you then apply any security to it? Will it reevaluate itself against the inbound ACL applied to the outside interface?
-Jeremy
Solved! Go to Solution.
05-29-2003 12:21 PM
(This applies to ontrack as well)
Hmm,
Are your crypto access-lists defined like this?
access-list 100 permit ip <
Or like this?
access-list 100 permit ip <
My pix is configured with the networks vs the global IP's. If yours are defined like the first list then you're suggesting that the sysopt conn permit-ipsec statement is only needed if your going through the external interface with IPSEC? In other words, in your setup you don't need sysopt conn permit-ipsec because the traffic is destined for the external interface? (Similar to the way you can ping an external interface even if there are no default rulesets to allow you to)
If this is the case, then I would also have to nat the internal network and change the access-list statements to this added address?
-Jeremy
05-29-2003 12:29 PM
...
05-29-2003 12:26 PM
And what about inbound NAT? Can packets comming from an IPSec tunnel be NATed when they leave the pix/router on the LAN side?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide