cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
339
Views
0
Helpful
1
Replies

how packet is forwarded in IPSec

The_guroo_2
Explorer
Explorer

Guys suppose we have a third party and we have an IPSec between each other ......one of my server say 10.1.1.1 has to connect to 192.168.1.100 server at third party on particular port say ldap.

So I will create a crypto acl ( other words to match interesting traffic )

My question is that how firewall route the traffic to 192 as it has no knowledge abt 192 address ..second question is how can we do port restriction

Thanks

Sent from Cisco Technical Support iPad App

1 Reply 1

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

My question is that how firewall route the traffic to 192 as it has no knowledge abt 192 address

you nmeed to have a static route for that remote network out of your outside interface. If you have a default-route, that's also fine.

second question is how can we do port restriction

Which device do you have? If it's an ASA then you can put an ACL into the tunnel, but that's not very comfortable for site-2-site-VPNs. You can also decide to filter the trafic the legacy way where you permit the traffic in the outside ACL.

You can also restrict the crypto-acl to your exact definition. But keep in mind that the ACL has to be mirrored on the other side and dynamic protocols like FTP won't work with that.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers