Hi Silju, I would have to disagree with you one point, or perhaps modify your statement -- "Normally" ISP's don't filter IPSEC, but some do -- I know this from personal experience. Granted the ISP in question didn't know they were doing it (misconfigured access-list).
I remember reading somewhere that some ISP's were going to actively filter IPSEC transiting their AS. This may or may not be true.. does anybody on the group know for sure??? Either way, it may be prudent to check with his upstream ISP!! Although your correct in saying that most VPN's terminate at secure or wholly trusted sites, this is not always the case. Suppose you wanted to also extend your VPN to a support company for a particular server app, your corporate policy may not like that fact that you cannot actively control what is sent through the tunnel. Sure you can make sure a reply will only go back to a destination address defined as "interesting" in your return access list.. but those packest are still coming from his side of the VPN and entering your network... so in that case, you could turn off the sysopt connect permit-ipsec and use access-lists on the outside to filter the traffic before it enters the network. I could be wrong, but that is my understanding of the pix implementation of IPSEC... does anybody know for sure?? cheers dude, Ciaron ----- Original Message ----- From: "Silju Pillai" To: Sent: Friday, August 02, 2002 10:18 PM Subject: RE: VPN not connecting [7:50144] > HI Ciaron, > > I totally agree with you that Phase-1 is completed in Mike's setup. > But I would like to discuss some points. The problem I think is in phase-2 > only. > > 1. Normally if your end-to-end traffic has to pass the ISP (public network) > then you create a VPN tunnel. ISPs doesnt block any traffic or ports (500,50 > or 51). If at all you are blocking these ports it will be at customer site. > > 2. You are right that "sysopt connection permit-ipsec" should be given on > PIX to allow the IPSec traffic. But I assume Mike might hvae already tried > that. Thanks a lot for this information as I never thought of turning it off > and testing it. I just had a look at the cisco site regarding this info. > Which is better? Turn it off and permit the specific ports or give this > command and let PIX do the rest. > > 3. You define interesting traffic only for those networks or machines where > you want to communicate using private network securely. So there is no point > in filtering the traffic. Configure access-list so that only specific > traffic is permitted. If the traffic doesnt match the crypto access list how > the packets will enter into the network? In my opinion they will get > dropped. Hope you get me. > > thanks once again, > regards > Silju Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50564&t=50144 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
