HI Ciaron,
I totally agree with you that Phase-1 is completed in Mike's setup.
But I would like to discuss some points. The problem I think is in phase-2
only.
1. Normally if your end-to-end traffic has to pass the ISP (public network)
then you create a VPN tunnel. ISPs doesnt block any traffic or ports (500,50
or 51). If at all you are blocking these ports it will be at customer site.
2. You are right that "sysopt connection permit-ipsec" should be given on
PIX to allow the IPSec traffic. But I assume Mike might hvae already tried
that. Thanks a lot for this information as I never thought of turning it off
and testing it. I just had a look at the cisco site regarding this info.
Which is better? Turn it off and permit the specific ports or give this
command and let PIX do the rest.
3. You define interesting traffic only for those networks or machines where
you want to communicate using private network securely. So there is no point
in filtering the traffic. Configure access-list so that only specific
traffic is permitted. If the traffic doesnt match the crypto access list how
the packets will enter into the network? In my opinion they will get
dropped. Hope you get me.
thanks once again,
regards
Silju
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50554&t=50144
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
