IPSEC & CBAC

m.iancu · ‎10-04-2002

hello,

i have a plain and simple config - 1710 with VPN software client.

is there a place where i can find a config for ipsec tunnels going through a set of CBAC rules?

no matter what i do as soon as i put an access-list on the WAN public interface (inbound) no traffic at all is allowed to pass via the tunnel.

i do have my tunnel up and running but nothing is passing through it.

thank you,

mihai

Nairi Adamian · ‎10-04-2002

What are you allowing in the inboud access-list? CBAC does not inspect ipsec traffic therefore you need to allow the traffic in the inboud ACL.

Be sure to allow esp protocol and udp port 500.

The following URL includes more information:

http://www.cisco.com/warp/public/707/quicktip.html

You can also include a deny any any log statement at the end of your ACL to see what is getting denied.

Hope this helps,

-Nairi

m.iancu · ‎10-07-2002

hi,

thank you for the point - CBAC doesn't inspect ipsec traffic.

i fix it - now it's working - i had 0.0.0.25 instead 0.0.0.255 - my fault.

thx.

mchmelik · ‎10-30-2002

Hi Nairi,

You wrote very usefull information and I configured it easy using of it.

But I don't understand this :

Is it necessery to configure "route-map nonat" ? On Tunnel interface is NOT ip nat outside. It works fine also without route-map. Is it correct ?

Thank you, Martin.

j.beckner · ‎10-15-2002

The following has worked on my 1710 in the office. It works with site-to-site tunnels to other Cisco IOS VPN routers but I haven't tried it with VPN Client Software. It has also worked installed at some of my customer's sites:

access-list 123 permit icmp any host unreachable

access-list 123 permit icmp any host echo-reply

access-list 123 permit icmp any host packet-too-big

access-list 123 permit icmp any host time-exceeded

access-list 123 permit icmp any host traceroute

access-list 123 permit icmp any host administratively-prohibited

access-list 123 permit icmp any host echo

access-list 123 permit tcp any host eq telnet

access-list 123 permit udp any host eq isakmp

access-list 123 permit esp any host

access-list 123 permit ahp any host

access-list 123 permit icmp 192.168.0.0 0.0.255.255 192.168.1.0 0.0.0.255

access-list 123 permit icmp 192.168.0.0 0.0.255.255 192.168.7.0 0.0.0.255

access-list 123 permit udp any host eq ntp

!

ip inspect audit-trail

ip inspect name fw ftp timeout 3600

ip inspect name fw smtp timeout 3600

ip inspect name fw tcp timeout 3600

ip inspect name fw tftp timeout 30

ip inspect name fw udp timeout 15

!

interface Ethernet0

ip address 255.255.255.248

ip access-group 123 in

ip nat outside

half-duplex

crypto map

!

interface FastEthernet0

ip address 192.168.7.1 255.255.255.0

ip access-group 121 in

ip nat inside

ip inspect fw in

speed auto

Are you sure that your IPSEC tunnel access-lists are ok and that IPSEC tunnel traffic is excluded from NAT?

Good Luck,

Joe Beckner

te_bell · ‎10-16-2002

I'm not certified as yet, but I have a ? regarding CBAC & IpSec. In the Cisco Press book, "Cisco IOS 12.0 Network Security", the authors state that CBAC is compatible with IPSec provided the tunnel end-point is on the router, and not a "pass-through" config. Is this still true, or did I misinterpret. Please set me straight.

Thanks