Hi all,
I'm quite a newbee with cisco ios so feel free to clarify any bad assumptions I may have made when posting this note.
Now to my question: I'm configuting a 1720 with ios 12.3.9a and I choosed to allow incoming ipseq connections from internet (VPN client 4.x). AFAIK the trafic pases twice trhough the inbound acl on the outer interface: first ipeseced, then unencrypted. But that, in fact, forces me to setup some acl entries allowing traffic from the internet to the very own private addresses I'm assigning to vpn clients in that inbound acl!!
Wouldn't this explicitly permit some kinds of spoofing attacks from internet?
I already found that this is handled differently in some 12.3T releases with the new crypto access check feature, but this is not an option as I'm stuck with the ios image that came with the router.
If I'm right, is there any way to protect against spoofing while still being able to configure ipseq RAS?
And a final question: I assume it's best to place antispoofing rules at the end of the acl, as they're likey to be hit much less often than others I have for permiting http to an internal host and the like. Am I right??
Thanks for any help David