We need to allow the IPSec Data-traffic which is IP-Protocol 50 (ESP) and UDP/500 which is used for ISAKMP. Here we assume that all IPSec-Peers have static IPs that are not NATted anywhere. Scenario 1: Only Site-to-Site VPNs with static Peers Ip access-list extended SITE-A-INTERNET-INÄ«ased on that config we extend the ACL with the needed ACEs. Here we use the legacy CBAC because it's much easier to understand and to implement then the more powerful Zone-Based-Firewall: That is part of the baseline-security and simplifies the config. The Router should run a basic staefull firewall that allows return-traffic to enter the router-interface without the need for ACEs. The shown configuration is based on the following topology: On the ASA, the interface-ACL by default only filters traffic that is sent through the ASA, but not traffic that is sent to the ASA. Note2: This does not apply to the ASA where these ACEs are not needed. Leave a comment if you are interested in that. With older IOS-releases there is more configuration needed. Note1: This applies to IOS-Routers with IOS 12.4+. This document shows which Access-List-Entries (ACEs) are needed to allow IPSec-Traffic into the router. Every Router connected to the Internet should be protected with an Access-Control-List (ACL) that filters the traffic that is sent to the router.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |