Here's what I've got for my IPSEC + NAT-incoming to server + NAT-outgoing
for shared access:
ACL protecting incoming on outside interface
Route-map/ACL on all non-outside interfaces that jump IPSEC traffic around
the NAT (via a loopback)
Route-map/ACL defining what to NAT (called NoNAT, hehee!)
ACL that defines what traffic to tunnel via IPSEC
I posted the config a while back:
http://www.groupstudy.com/archives/cisco/200104/msg01634.html
Hmm, except this config was missing 'ip access-group 101 in' on the BVI1
outside interface. I must have had it disabled for a bit when
troubleshooting. It's on there now ;-p
What do I have to define all this junk? Well, when a packet is on it's way
out from one of your "public" internal servers to a remote IPSEC host, it
would first be picked up by the NAT engine. To make it not get NAT'd so
that IPSEC can handle it, you've got to get it around that process, so a
Route-map to a loopback works. From the loopback to the outside interface
and beyond it'll match the ACL for the IPSEC.
The NoNAT ACL is basically the reverse of all combined IPSEC ACLs. HTH.
--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/
""Chuck Larrieu"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Am I correctly reading that you are terminating your IPSec tunnels on the
> same interface where the access-list in question will be applied? Are you
> running a router with the IOS firewall / IPSec feature set?
>
> Look, the rule is one access-list per direction per protocol per
interface.
> Period. So no, you cannot have several IP access-lists applied in the
same
> direction on a single interface. Them's the rules.
>
> That said, there is a separate access-list that defines traffic to be
> encrypted and sent through the VPN tunnel. This may be what you have in
mind
> when you talk about several access-lists, each with a different function.
>
> Chuck
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Allen May
> Sent: Thursday, May 03, 2001 8:52 AM
> To: [EMAIL PROTECTED]
> Subject: Re: ACL [7:2882]
>
> I'm sure there are plenty of people who know more about ACLs than I do...I
> just use 'em ;) But, correct me if I'm wrong, but doesn't it process
every
> line in ACLs for the interface it's passing through until it finds a match
> for permit/deny? If you separate by ACL numbers you would have a few more
> lines...depending on the configuration maybe ALOT more lines...but it
would
> be easier to manage and maintain in my opinion.
>
> The thing I'll have to play with this weekend is trying to combine an ACL
> for an outside interface that includes IPSec with TACACS+ authentication
AND
> have regular access to the web servers on port 80 without authentication.
> If authenticated on IPSec you would have ports open for ftp. Now before
we
> get into the fact that when you're authenticated you are on an inside
> interface & no longer bound by external interface, consider also having
> IPSec router to router or PIX to PIX dedicated tunnels.
>
> Seems sadistic that I thought this up but it's actually a project I'm
> putting myself through...rofl.
>
> Later
>
> Allen
> ----- Original Message -----
> From: "Donald B Johnson jr"
> To: "Allen May" ;
> Sent: Thursday, May 03, 2001 11:45 AM
> Subject: Re: ACL [7:2882]
>
>
> > wouldn't that be a resource hog
> >
> > ----- Original Message -----
> > From: "Allen May"
> > To:
> > Sent: Wednesday, May 02, 2001 1:55 PM
> > Subject: Re: ACL [7:2882]
> >
> >
> > > 1 reason would be to separate acl's per internal IP address you're
> > > permitting/denying access to. 101=specific IP allowing ftp and http,
> > > 102=different IP allowing http only, etc. It would look cleaner
> > anyway....
> > >
> > > ----- Original Message -----
> > > From: "Donald B Johnson jr"
> > > To:
> > > Sent: Wednesday, May 02, 2001 3:19 PM
> > > Subject: Re: ACL [7:2882]
> > >
> > >
> > > > Why
> > > > ----- Original Message -----
> > > > From: "BASSOLE Rock"
> > > > To:
> > > > Sent: Wednesday, May 02, 2001 7:24 AM
> > > > Subject: ACL [7:2882]
> > > >
> > > >
> > > > > Hi,
> > > > >
> > > > > Can we apply more then one ACL per interface?..
> > > > >
> > > > >
> > > > > Example:
> > > > >
> > > > > Interface Serial1
> > > > > ip access-group 102 in
> > > > > ip access-group 103 out
> > > > > ip access-group 104 in
> > > > > ip access-group 105 out
> > > > >
> > > > > Thank you.
> > > > >
> > > > > Rock BASSOLE
> > > > > Til: +33 (0) 1 45 96 22 03
> > > > > FAQ, list archives, and subscription info:
> > > > http://www.groupstudy.com/list/cisco.html
> > > > > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> > > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3132&t=2882
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
