Solved: Re: Policy-based for crypto traffic

Chin Chang · ‎09-30-2019

Please refer topology：

R1(g1/0：12.0.0.1 / 8)<--->(G1/0：12.0.0.2 / 8)R2(g2/0：23.0.0.2 / 8)<--->(g2/0：23.0.0.3 / 8)R3

Please refer configuration：

![R1]v15.2

crypto isakmp policy 1

encr aes

authentication pre-share

group 14

crypto isakmp key cisco address 0.0.0.0

!

crypto ipsec transform-set AES esp-aes

mode transport

!

crypto ipsec profile VPN

set transform-set AES

!

crypto map R1R3 1 ipsec-isakmp

set peer 23.0.0.3

set transform-set AES

match address HTTP

!

interface GigabitEthernet1/0

ip address 12.0.0.1 255.0.0.0

crypto map R1R3

no shutdown

!

ip route 0.0.0.0 0.0.0.0 12.0.0.2

!

ip access-list extended HTTP

permit tcp host 12.0.0.1 host 23.0.0.3 eq 80

======================================

![R2-Internet]v15.2

interface GigabitEthernet1/0

ip address 12.0.0.2 255.0.0.0

no shutdown

!

interface GigabitEthernet2/0

ip address 23.0.0.2 255.0.0.0

no shutdown

======================================

![R3]v15.2
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set AES esp-aes
mode transport
!
crypto ipsec profile VPN
set transform-set AES
!
crypto map R1R3 1 ipsec-isakmp
set peer 12.0.0.1
set transform-set AES
match address HTTP
!
interface GigabitEthernet2/0
ip address 23.0.0.3 255.0.0.0
crypto map R1R3
no shutdown
!

ip http server

!
ip route 0.0.0.0 0.0.0.0 23.0.0.2
!
ip access-list extended HTTP
permit tcp host 23.0.0.3 host 12.0.0.1 eq 80

=======================

I have a questoin. I want to HTTP encrypted, ICMP not crypted. And R3 is HTTP server.
In the configuration, R1 ping R3 and HTTP get R3 are below：
=======================
R1#ping 23.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/44 ms
R1#
R1#telnet 23.0.0.3 80
Trying 23.0.0.3, 80 ...
% Connection timed out; remote host not responding

R1#
=======================
However, I modified ACL on R1, R3.
[Modified ACL on R1]
ip access-list extended HTTP
permit tcp host 12.0.0.1 host 23.0.0.3 eq 80
permit ip any any

[Modified ACL on R3]
ip access-list extended HTTP
permit tcp host 23.0.0.3 host 12.0.0.1 eq 80
permit ip any any
=======================
Again, R1 ping R3 and HTTP get R3 are below：
R1#ping 23.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/49/64 ms
R1#
R1#telnet 23.0.0.3 80
Trying 23.0.0.3, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Mon, 30 Sep 2019 22:14:09 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 23.0.0.3 closed by foreign host]
R1#
=======================
Althought 「permit ip any any」 can resolved, but I don't want to encrypt ICMP, SSH, HTTPS and so on.
Becasue ICMP is not need encrypt, SSH and HTTPS has encrypted.
So I just want to encrypt that not encrypted for data. I don't know my ACL how should modify.
Thanks!

Rob Ingram · ‎09-30-2019

Hi, to encrypt only tcp/80 modify your ACLs as below:-

R1

ip access-list extended HTTP
permit tcp host 12.0.0.1 host 23.0.0.3 eq 80
permit tcp host 12.0.0.1 eq 80 host 23.0.0.3

R2

ip access-list extended HTTP
permit tcp host 23.0.0.3 host 12.0.0.1 eq 80
permit tcp host 23.0.0.3 eq 80 host 12.0.0.1

HTH

View solution in original post

Rob Ingram · ‎09-30-2019

Hi, to encrypt only tcp/80 modify your ACLs as below:-

R1

ip access-list extended HTTP
permit tcp host 12.0.0.1 host 23.0.0.3 eq 80
permit tcp host 12.0.0.1 eq 80 host 23.0.0.3

R2

ip access-list extended HTTP
permit tcp host 23.0.0.3 host 12.0.0.1 eq 80
permit tcp host 23.0.0.3 eq 80 host 12.0.0.1

HTH

Chin Chang · ‎09-30-2019

Very grateful! I resolved!
Best regards!