Anfang der weitergeleiteten E-Mail:
Von: Simon Baumann <[email protected]>
Datum: 29. August 2009 13:25:28 MESZ
An: Kingsley Charles <[email protected]>
Betreff: Re: [OSL | CCIE_Security] Clarification about GET VPN.
Hi Kings,
thanks! So it's like the "classic" ipsec L2L ACL using to match the
interresting traffic?
Regards
Simon
Am 29.08.2009 um 12:59 schrieb Kingsley Charles:
Hi Simon
The following ACL is enough to be configured on the GETVPN server.
permit ip host 22.22.22.1 any
permit ip host 77.77.77.1 any
permit ip host 88.88.88.1 any
But the above ACL will encrypt all the traffic from 22.22.22.1,
77.77.771 abd 88.88.88.1.
Given below is the specific ACL.
permit ip host 22.22.22.1 77.77.77.1
permit ip host 22.22.22.1 88.88.88.1
permit ip host 88.88.88.1 22.22.22.1
permit ip host 77.77.77.1 22.22.22.1
permit ip host 88.88.88.1 77.77.77.1
permit ip host 77.77.77.1 88.88.88.1
You need to start with deny statements, when you don't want
specific traffic to be encrypted. For example, the creteria is to
encrypt 10.20.30.0 subnet
but you don't neet to encrypt any ssh session and traffic from
10.20.30.4
deny tcp 10.20.30.0 any eq ssh
deny udp 10.20.30.0 any eq ssh
deny ip 10.20.30.4 any
permit ip 10.20.30.0 any
You also have an option to associate an ACL in the Group member
crypto map to deny traffic.
With regards
Kings
On Sat, Aug 29, 2009 at 4:01 PM, Simon Baumann <[email protected]
> wrote:
Hi Segun,
ok, thanks. I don't want to encrypt all raffic, only the traffic to
the loopbacks.
Regards
Simon
Am 29.08.2009 um 12:23 schrieb 'Segun Daini:
Hi Simon,
The getvpn acl need to match intresting traffic-since there's a
default deny after ur acl you really dont need to put the 3 deny
statements you have there.
You would need to put a deny before permit if there are specific
IPs within your permit network that shld not be encrypted. And in
ur example, the traffic u denied does not match any of the
permitted traffic, therefore i do not think its necesary.
Regards.
From: Simon Baumann <[email protected]>
To: [email protected]
Sent: Saturday, August 29, 2009 2:09:15 PM
Subject: [OSL | CCIE_Security] Clarification about GET VPN.
Hi,
I'm setting up an GET VPN environmet at a security ProtcorLabs
pod. My
scenario looks like this:
Used devices: cat2, r1, r7, r8
cat2:
vlan 2, int vlan2: ip addr 2.2.2.254
vlan 7, int vlan 7: ip addr 7.7.7.254
vlan 8, int vlan 8: ip addr 8.8.8.254
Server: r1
Clients: r7 and r8
r1: fa0/1: ip addr 2.2.2.1, lo0: 22.22.22.1. Default route to fa0/1.
r7: fa0/0: ip addr 7.7.7.1, lo0 77.77.77.1. Default route to fa 0/0.
r8: fa0/0: ip addr 8.8.8.1, lo0 88.88.88.1. Default route to fa 0/0.
I want to protect traffic between the loopbacks of my router. But
I'm
not sure how I have to configure my ACL to only
match this traffic.
The Cisco documentation states: "Ensure that your ACL starts with a
deny statement if all traffic does not need to be encrypted."
So in my case, this would be the following ACL?
ip access-list extended GET_VPN
deny ip host 2.2.2.1 any
deny ip host 8.8.8.1 any
deny ip host 7.7.7.1 any
permit ip host 22.22.22.1 any
permit ip host 77.77.77.1 any
permit ip host 88.88.88.1 any
TIA.
Have a nice weekend
Simon
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
