Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1206
Views
0
Helpful
4
Replies

PIX IPSec and ACL Questions

Go to solution
pdvcisco
Level 1
Level 1

‎04-23-2010 01:18 PM - edited ‎02-21-2020 04:36 PM

Hello,


On a PIX 515E v.6.3.5.

Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )

1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN

2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

3. ACL - ACL to permit | deny traffic after ACL #1 and #2.

Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?

The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?

Thanks,

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-23-2010 01:33 PM 

pdvcisco wrote:
Hello,

On a PIX 515E v.6.3.5.
Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends"  )
1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN
2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
Thanks,
Dan

Dan

It depends

1) Not always used because with a site-to-site VPN sometimes you have to NAT your internal addressing

2) always needed

3) if "sysopt connection permit-ipsec" is configured any acl on the interface where the VPN is terminated is bypassed. If it isn't enabled then once packets are decrypted they are then checked against the acl.

Mirroring of acls is required.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-23-2010 01:33 PM 

pdvcisco wrote:
Hello,

On a PIX 515E v.6.3.5.
Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends"  )
1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN
2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
Thanks,
Dan

Dan

It depends

1) Not always used because with a site-to-site VPN sometimes you have to NAT your internal addressing

2) always needed

3) if "sysopt connection permit-ipsec" is configured any acl on the interface where the VPN is terminated is bypassed. If it isn't enabled then once packets are decrypted they are then checked against the acl.

Mirroring of acls is required.

Jon

0 Helpful

Go to solution
pdvcisco
Level 1
Level 1
In response to Jon Marshall

‎04-23-2010 01:37 PM

Jon,

Thanks, that get me mostly there.  For the last question. Which ACL "must" be mirrored, it is inferred by your answer, only the second ACL must be mirrored, and only that one matters to the actual IPSec VPN - the VPN doesn't even know of the other ACL's, correct?

Dan

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to pdvcisco

‎04-23-2010 01:39 PM

Dan

Correct, only crypto acls need to mirror each other  because it this acl that is used to determine what the peers think are the remote and local subnets.

Jon

0 Helpful

Go to solution
pdvcisco
Level 1
Level 1
In response to Jon Marshall

‎04-23-2010 03:07 PM

Thanks Jon! That was just what I needed, perfect.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents