09-30-2019 07:38 AM - edited 02-21-2020 09:45 PM
Please refer topology:
R1(g1/0:12.0.0.1 / 8)<--->(G1/0:12.0.0.2 / 8)R2(g2/0:23.0.0.2 / 8)<--->(g2/0:23.0.0.3 / 8)R3
Please refer configuration:
![R1]v15.2
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set AES esp-aes
mode transport
!
crypto ipsec profile VPN
set transform-set AES
!
crypto map R1R3 1 ipsec-isakmp
set peer 23.0.0.3
set transform-set AES
match address HTTP
!
interface GigabitEthernet1/0
ip address 12.0.0.1 255.0.0.0
crypto map R1R3
no shutdown
!
ip route 0.0.0.0 0.0.0.0 12.0.0.2
!
ip access-list extended HTTP
permit tcp host 12.0.0.1 host 23.0.0.3 eq 80
======================================
![R2-Internet]v15.2
interface GigabitEthernet1/0
ip address 12.0.0.2 255.0.0.0
no shutdown
!
interface GigabitEthernet2/0
ip address 23.0.0.2 255.0.0.0
no shutdown
======================================
![R3]v15.2
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set AES esp-aes
mode transport
!
crypto ipsec profile VPN
set transform-set AES
!
crypto map R1R3 1 ipsec-isakmp
set peer 12.0.0.1
set transform-set AES
match address HTTP
!
interface GigabitEthernet2/0
ip address 23.0.0.3 255.0.0.0
crypto map R1R3
no shutdown
!
ip http server
!
ip route 0.0.0.0 0.0.0.0 23.0.0.2
!
ip access-list extended HTTP
permit tcp host 23.0.0.3 host 12.0.0.1 eq 80
=======================
I have a questoin. I want to HTTP encrypted, ICMP not crypted. And R3 is HTTP server.
In the configuration, R1 ping R3 and HTTP get R3 are below:
=======================
R1#ping 23.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/44 ms
R1#
R1#telnet 23.0.0.3 80
Trying 23.0.0.3, 80 ...
% Connection timed out; remote host not responding
R1#
=======================
However, I modified ACL on R1, R3.
[Modified ACL on R1]
ip access-list extended HTTP
permit tcp host 12.0.0.1 host 23.0.0.3 eq 80
permit ip any any
[Modified ACL on R3]
ip access-list extended HTTP
permit tcp host 23.0.0.3 host 12.0.0.1 eq 80
permit ip any any
=======================
Again, R1 ping R3 and HTTP get R3 are below:
R1#ping 23.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/49/64 ms
R1#
R1#telnet 23.0.0.3 80
Trying 23.0.0.3, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Mon, 30 Sep 2019 22:14:09 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 23.0.0.3 closed by foreign host]
R1#
=======================
Althought 「permit ip any any」 can resolved, but I don't want to encrypt ICMP, SSH, HTTPS and so on.
Becasue ICMP is not need encrypt, SSH and HTTPS has encrypted.
So I just want to encrypt that not encrypted for data. I don't know my ACL how should modify.
Thanks!
Solved! Go to Solution.
09-30-2019 11:27 AM
Hi, to encrypt only tcp/80 modify your ACLs as below:-
R1
ip access-list extended HTTP
permit tcp host 12.0.0.1 host 23.0.0.3 eq 80
permit tcp host 12.0.0.1 eq 80 host 23.0.0.3
R2
ip access-list extended HTTP
permit tcp host 23.0.0.3 host 12.0.0.1 eq 80
permit tcp host 23.0.0.3 eq 80 host 12.0.0.1
HTH
09-30-2019 11:27 AM
Hi, to encrypt only tcp/80 modify your ACLs as below:-
R1
ip access-list extended HTTP
permit tcp host 12.0.0.1 host 23.0.0.3 eq 80
permit tcp host 12.0.0.1 eq 80 host 23.0.0.3
R2
ip access-list extended HTTP
permit tcp host 23.0.0.3 host 12.0.0.1 eq 80
permit tcp host 23.0.0.3 eq 80 host 12.0.0.1
HTH
09-30-2019 02:24 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide