In section 7 task 1 - 6 we where ask to configure IPsec between R2 to R5 There is PIX in the middle that are doing NAT.
The request in Task is to use ESP fore encryption. the final configuration of the pix there is no rule in the access-list fore IP Protocol 50 (esp) When I tray to run the final configuration I saw that phase 1 is completed bat there is no encryption or decryption in phase 2 In the pix log I can saw that is blocking IP protocol 50: PIX-6-106100: access-list infilter denied 50 outside/192.1.24.2(0) -> DMZ5/192.1.24.5(0) hit-cnt 33 300-second interval [0x989bd489, 0x0] I know that udp 4500 is NAT-T , not for encryption of phase 2. So I think that it must be a rule for ESP because when I allow this in access-list in pix it works. What I do not understand here? ------------------------------------------------------------------------ ----------------------------------------------------------------------- ROIE BEN HAIM | Networking & Security Engineer, Professional Services | Bezeq International. Tel: +972 3 9257 7331 | Mob: +972 50 6014 017 | E-Mail: [EMAIL PROTECTED] ------------------------------------------------------------------------ ----------------------------------------------------------------------- ________________________________ From: Mark Snow [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 15, 2008 5:17 PM To: Roie Ben Haim Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Section 07 - IPSec and DMVPN Scenario A It is encap'd in UDP. access-list infilter extended permit udp host 192.1.24.2 host 192.1.24.5 eq 4500 HTH, Mark Snow CCIE #14073 (Voice, Security) CCSI #31583 Senior Technical Instructor - IPexpert, Inc. A Cisco Learning Partner - We Accept Learning Credits! Telephone: +1.810.326.1444 Fax: +1.309.413.4097 Mailto: [EMAIL PROTECTED] IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. On Jan 10, 2008, at 12:23 AM, Roie Ben Haim wrote: <imp_bezeqint_3eGj0.jpg> <http://impactia.bezeqint.co.il/redirect.ASP?id=777&data=HDypsVr7D8DOJyt K8dylFKoW9hjNG1%2F1bOZEAc5nwHgas%2FpmXUYIIRV%2FMcwTm40lf0DwjIHEOPyG%2Buk Ode3shtg%3D&url=http:%2F%2Fsherut.bezeqint.net%2Fikeeper%2Findex.html%20 > Where is the esp access-list in the pix for R2 to R5 IPsec Tunnel in the Final Configurations of the pix ? ------------------------------------------------------------------------ ----------------------------------------------------------------------- ROIE BEN HAIM | Networking & Security Engineer, Professional Services | Bezeq International. Tel: +972 3 9257 7331 | Mob: +972 50 6014 017 | E-Mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ------------------------------------------------------------------------ ----------------------------------------------------------------------- ________________________________ If you prefer not to receive enriched messages, please click here <http://impactia.bezeqint.co.il/[EMAIL PROTECTED] udylist.com&domain=bezeqint.co.il&id=777> <PIX.txt>
