In section 7 task 1 - 6 we where ask to configure IPsec between R2 to R5

There is PIX in the middle that are doing NAT.

The request in Task is to use ESP fore encryption.

the final configuration of the pix there is no rule in the access-list
fore IP Protocol 50 (esp)

When I tray to run the final configuration I saw that phase 1 is
completed bat there is no encryption  or decryption in phase 2

In the pix log I can saw that is blocking IP protocol 50:

 

PIX-6-106100: access-list infilter denied 50 outside/192.1.24.2(0) ->
DMZ5/192.1.24.5(0) hit-cnt 33 300-second interval [0x989bd489, 0x0]

 

I know that udp 4500 is NAT-T , not for encryption of phase 2.

So I think that it must be a rule for ESP because when I allow this in
access-list in pix it works. 

 

What I do not understand here?

 

 

 

------------------------------------------------------------------------
-----------------------------------------------------------------------

ROIE BEN HAIM | Networking & Security Engineer, Professional Services |
Bezeq International. 

Tel: +972 3 9257 7331 | Mob: +972 50 6014 017 | E-Mail:
[EMAIL PROTECTED] 

------------------------------------------------------------------------
-----------------------------------------------------------------------

________________________________

From: Mark Snow [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 15, 2008 5:17 PM
To: Roie Ben Haim
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Section 07 - IPSec and DMVPN Scenario
A

 

It is encap'd in UDP.

access-list infilter extended permit udp host 192.1.24.2 host 192.1.24.5
eq 4500 

 

HTH,

 

Mark Snow

CCIE #14073 (Voice, Security)

CCSI #31583

Senior Technical Instructor - IPexpert, Inc.

A Cisco Learning Partner - We Accept Learning Credits!

Telephone: +1.810.326.1444

Fax: +1.309.413.4097

Mailto: [EMAIL PROTECTED]

 

IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
Demand and Audio Certification Training Tools for the Cisco CCIE R&S
Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and
CCIE Storage Lab Certifications.





 

On Jan 10, 2008, at 12:23 AM, Roie Ben Haim wrote:





<imp_bezeqint_3eGj0.jpg>
<http://impactia.bezeqint.co.il/redirect.ASP?id=777&data=HDypsVr7D8DOJyt
K8dylFKoW9hjNG1%2F1bOZEAc5nwHgas%2FpmXUYIIRV%2FMcwTm40lf0DwjIHEOPyG%2Buk
Ode3shtg%3D&url=http:%2F%2Fsherut.bezeqint.net%2Fikeeper%2Findex.html%20
> 

 

Where is the esp access-list in the pix for R2 to R5  IPsec Tunnel in
the Final Configurations of the pix ?

 

------------------------------------------------------------------------
-----------------------------------------------------------------------

ROIE BEN HAIM | Networking & Security Engineer, Professional Services |
Bezeq International.

Tel: +972 3 9257 7331 | Mob: +972 50 6014 017 | E-Mail:
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 

------------------------------------------------------------------------
-----------------------------------------------------------------------

 

________________________________

If you prefer not to receive enriched messages, please click here
<http://impactia.bezeqint.co.il/[EMAIL PROTECTED]
udylist.com&domain=bezeqint.co.il&id=777> 



<PIX.txt>

 

Reply via email to