Solved: Re: Applying SECURITY to LAN to LAN VPN traffic! - Page 2

jeremy.buck · ‎05-29-2003

I have a question to the forum,

Can you apply security to incoming ipsec traffic once it has been decrypted? I've done some research and can only come to this conclusion, with a LAN to LAN Vpn using the sysopt permit ipsec command you bypass all ACL checking (The inbound access-list or conduits applied to the outside interface) and can therefore apply no security to traffic coming into your internal network over the VPN no matter which interface the VPN terminates at. It is my understanding that instead of using the sysopt permit ipsec command you can allow protocol 50 (esp) into your firewall allowing the encrypted traffic to reach the firewall and be decrypted BUT can you then apply any security to it? Will it reevaluate itself against the inbound ACL applied to the outside interface?

-Jeremy

jeremy.buck · ‎05-29-2003

(This applies to ontrack as well)

Hmm,

Are your crypto access-lists defined like this?

access-list 100 permit ip <> <>

Or like this?

access-list 100 permit ip <> <>

My pix is configured with the networks vs the global IP's. If yours are defined like the first list then you're suggesting that the sysopt conn permit-ipsec statement is only needed if your going through the external interface with IPSEC? In other words, in your setup you don't need sysopt conn permit-ipsec because the traffic is destined for the external interface? (Similar to the way you can ping an external interface even if there are no default rulesets to allow you to)

If this is the case, then I would also have to nat the internal network and change the access-list statements to this added address?

-Jeremy

jeremy.buck · ‎05-29-2003

...

l.cabral · ‎05-29-2003

And what about inbound NAT? Can packets comming from an IPSec tunnel be NATed when they leave the pix/router on the LAN side?