ccing ccie study On Sat, Aug 29, 2009 at 4:29 PM, Kingsley Charles < [email protected]> wrote:
> Hi Simon > > The following ACL is enough to be configured on the GETVPN server. > > permit ip host 22.22.22.1 any > permit ip host 77.77.77.1 any > permit ip host 88.88.88.1 any > > But the above ACL will encrypt all the traffic from 22.22.22.1, 77.77.771 > abd 88.88.88.1. > > Given below is the specific ACL. > > permit ip host 22.22.22.1 77.77.77.1 > permit ip host 22.22.22.1 88.88.88.1 > permit ip host 88.88.88.1 22.22.22.1 > permit ip host 77.77.77.1 22.22.22.1 > permit ip host 88.88.88.1 77.77.77.1 > permit ip host 77.77.77.1 88.88.88.1 > > You need to start with deny statements, when you don't want specific > traffic to be encrypted. For example, the creteria is to encrypt 10.20.30.0 > subnet > but you don't neet to encrypt any ssh session and traffic from 10.20.30.4 > > deny tcp 10.20.30.0 any eq ssh > deny udp 10.20.30.0 any eq ssh > deny ip 10.20.30.4 any > permit ip 10.20.30.0 any > > > You also have an option to associate an ACL in the Group member crypto map > to deny traffic. > > With regards > Kings > On Sat, Aug 29, 2009 at 4:01 PM, Simon Baumann > <[email protected]>wrote: > >> Hi Segun, ok, thanks. I don't want to encrypt all raffic, only the >> traffic to the loopbacks. >> >> Regards >> Simon >> >> >> Am 29.08.2009 um 12:23 schrieb 'Segun Daini: >> >> Hi Simon, >> >> The getvpn acl need to match intresting traffic-since there's a default >> deny after ur acl you really dont need to put the 3 deny statements you have >> there. >> >> You would need to put a deny before permit if there are specific IPs >> within your permit network that shld not be encrypted. And in ur example, >> the traffic u denied does not match any of the permitted traffic, therefore >> i do not think its necesary. >> >> Regards. >> >> >> ------------------------------ >> *From:* Simon Baumann <[email protected]> >> *To:* [email protected] >> *Sent:* Saturday, August 29, 2009 2:09:15 PM >> *Subject:* [OSL | CCIE_Security] Clarification about GET VPN. >> >> >> Hi, >> I'm setting up an GET VPN environmet at a security ProtcorLabs pod. My >> scenario looks like this: >> >> Used devices: cat2, r1, r7, r8 >> >> cat2: >> vlan 2, int vlan2: ip addr 2.2.2.254 >> vlan 7, int vlan 7: ip addr 7.7.7.254 >> vlan 8, int vlan 8: ip addr 8.8.8.254 >> >> Server: r1 >> Clients: r7 and r8 >> >> r1: fa0/1: ip addr 2.2.2.1, lo0: 22.22.22.1. Default route to fa0/1. >> r7: fa0/0: ip addr 7.7.7.1, lo0 77.77.77.1. Default route to fa 0/0. >> r8: fa0/0: ip addr 8.8.8.1, lo0 88.88.88.1. Default route to fa 0/0. >> >> I want to protect traffic between the loopbacks of my router. But I'm >> not sure how I have to configure my ACL to only >> match this traffic. >> >> The Cisco documentation states: "Ensure that your ACL starts with a >> deny statement if all traffic does not need to be encrypted." >> >> So in my case, this would be the following ACL? >> >> >> ip access-list extended GET_VPN >> deny ip host 2.2.2.1 any >> deny ip host 8.8.8.1 any >> deny ip host 7.7.7.1 any >> permit ip host 22.22.22.1 any >> permit ip host 77.77.77.1 any >> permit ip host 88.88.88.1 any >> >> TIA. >> >> Have a nice weekend >> >> Simon >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
