Tom@I-McNamara wrote: > > Thanks for that. I had read that previously and it helped > somewhat. > However, my problem comes from interaction of the various > technologies. That article helped me a lot to understand interactions of various technologies and transformations of packets. I've used table from that article to play some "what if" scenarios with a pencil and a piece of paper ;-)
> For instance, I want to use some static packet filtering to > keep IP spoofing > out, denying private IPs from coming in from the outside > interface, but when > I do it breaks my IPSec tunnel as it has 10 network inside and > triggers the > deny 10.0.0.0 rule I have. Now I opened the specific 10 > network that I am > using inside to solve that problem, but that opens up a hole. No, this doesn't open up a hole. IOS checks all incoming packet against crypto map. If IOS receives unencrypted packet that should be encrypted (according to access-list associated with crypto map), IOS will definitely drop it. > If I have a NAT'ed network, does the ACL get applied to the > inside address or the Outside address? Which ACL are you talking about? Lets see what happens with packet from your network destined to the Internet. According to the artice, input access list on an input interface is applied to packet before NAT, so at this point packet has inside local address. Output access-list on an output interface is applied to packet after NAT, consequently at this point packet has inside global address. Therefore you should use inside global addresses in your output access list on an external interface. Packet destined to IPSec peer shouldn't be NAT'ed. > I guess there are a few other things, obviously I am going to > play with it > some more and learn, I am just in search of some good > information about the > subject so that I can get a good basis of knowledge. I advise you to check some example configurations on cisco's site. There are tons of useful examples with explanations, configs, debug outputs etc... http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:IPSec&s=Implementation_and_Configuration#Samples_and_Tips Best regards, Victor Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62801&t=62727 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
