Re: [OSL | CCIE_Security] Clarification about GET VPN.

Sat, 29 Aug 2009 03:36:05 -0700 

Hi Segun,
ok, thanks. I don't want to encrypt all raffic, only the traffic to the loopbacks. 

Regards
Simon


Am 29.08.2009 um 12:23 schrieb 'Segun Daini:


Hi Simon,


The getvpn acl need to match intresting traffic-since there's a  
default deny after ur acl you really dont need to put the 3 deny  
statements you have there.



You would need to put a deny before permit if there are specific IPs  
within your permit network that shld not be encrypted. And in ur  
example, the traffic u denied does not match any of the permitted  
traffic, therefore i do not think its necesary.


Regards.


From: Simon Baumann <[email protected]>
To: [email protected]
Sent: Saturday, August 29, 2009 2:09:15 PM
Subject: [OSL | CCIE_Security] Clarification about GET VPN.


Hi,
I'm setting up an GET VPN environmet at a security ProtcorLabs pod. My
scenario looks like this:

Used devices: cat2, r1, r7, r8

cat2:
vlan 2, int vlan2: ip addr 2.2.2.254
vlan 7, int vlan 7: ip addr 7.7.7.254
vlan 8, int vlan 8: ip addr 8.8.8.254

Server: r1
Clients: r7 and r8

r1: fa0/1: ip addr 2.2.2.1, lo0: 22.22.22.1. Default route to fa0/1.
r7: fa0/0: ip addr 7.7.7.1, lo0 77.77.77.1. Default route to fa 0/0.
r8: fa0/0: ip addr 8.8.8.1, lo0 88.88.88.1. Default route to fa 0/0.

I want to protect traffic between the loopbacks of my router. But I'm
not sure how I have to configure my ACL to only
match this traffic.

The Cisco documentation states: "Ensure that your ACL starts with a
deny statement if all traffic does not need to be encrypted."

So in my case, this would be the following ACL?


ip access-list extended GET_VPN
  deny  ip host 2.2.2.1 any
  deny  ip host 8.8.8.1 any
  deny  ip host 7.7.7.1 any
  permit ip host 22.22.22.1 any
  permit ip host 77.77.77.1 any
  permit ip host 88.88.88.1 any

TIA.

Have a nice weekend

Simon
_______________________________________________

For more information regarding industry leading CCIE Lab training,  
please visit www.ipexpert.com






_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com






















					Reply via email to