Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
1
Replies

Poll: Internet facing access-list and IPSec...what is needed???

jasonhumes
Level 1
Level 1

‎05-03-2005 11:15 AM - edited ‎02-21-2020 01:45 PM

Hi

I just resolved an issue with a router and IPSec where I could not communicate via the IPSec tunnel unless I allowed the private addresses at either end of the tunnel through the internet facing access-list, as well as the usual UDP500 (isakmp) and IP protocol 51 (ESP). Has anyone else ever had to do this? I've taken the MCNS and I'm a CCSP and never seen anything like that, and I know its not a good security practice to allow private address spaces through the outside access list. Should'd the private addresses be hidden due to the packet being encapsulated by IPSec? I just want to determine what the proper way of configuring this is...my manual says to just all UDP500 and IP 50 or 51. Please, opinions and experince please. Thanks.

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎05-12-2005 04:08 AM

Does all traffic flowing thru that router go thru the ipsec tunnel? If so, then check the config to insure that the same acl that is applied to your provider/internet interface is not the same one that the ipsec config uses to determine whether or not to apply ipsec processing.

Please post the router config here, and I or someone else will examine it. Also specify the code level and if it is a non-ios device, the make and model too.

0 Helpful
Customers Also Viewed These Support Documents