I have an IPSEC tunnel configured between a router running IOS and a Check Point firewall, which is working fine.
One thing I'm having difficulty with is restricting traffic coming into the router on the IPSEC tunnel (for example, allow only specific hosts at the Check Point end of the tunnel to initiate connections to servers behind the router).
Beyond creating an outbound access list for my internal interface, is there any other way to restrict this traffic?
Cheers, Chris
In article , snipped-for-privacy@nospammail.net (Can2002) writes: | I have an IPSEC tunnel configured between a router running IOS and a | Check Point firewall, which is working fine. | | One thing I'm having difficulty with is restricting traffic coming into | the router on the IPSEC tunnel (for example, allow only specific hosts | at the Check Point end of the tunnel to initiate connections to servers | behind the router). | | Beyond creating an outbound access list for my internal interface, is | there any other way to restrict this traffic?
I'm assuming that you don't have a recent enough version of IOS that you can terminate the IPSEC tunnel on an actual tunnel interface and thus your problem is that the incoming access list on the interface with the crypto map is checked against the IPSEC wrapper packet rather than the encapsulated packet.
The encapsulated packet is checked against the inverse of the access list associated with the crypto map and is dropped if it shouldn't have been encrypted (based on the assumption that the access lists on each end of the tunnel are complementary) in the first place. You can use this to restrict incoming traffic, but it is likely considered a configuration error. Beware that IOS will log an error in some but not all cases when it drops a packet in these circumstances. With ipsec debug enabled there should be a message in all cases.
Of course, if you can configure the far end to not encrypt/encapsulate the offending packets in the first place then the normal incoming access list will catch them. But that requires keeping three sets of access lists in sync and also assumes that the packets are routable independent of the IPSEC tunnel.
Dan Lanciani ddl@danlan.*com
Hi Dan,
Apologies the delay in replying, thanks for responding to me.
I'm running 12.4T and it looks as though I can configure a tunnel interface. Having scanned through the Cisco VTI doc I'm not sure I can make use of the static tunnel option (as I cannot configure the other end); Does the dynamic option sound right to you?
Thanks again, Chris
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.