Step 6 Configure the Interface ACL

In the examples shown thus far, the router connected to the Internet also served as the IPsec peer. It is likely that such an Internet-connected device would be a firewall in today's networks, although this is more of a guideline than a rule. In either case, it is important to permit IPsec packets so that IKE and IPsec SAs can be established. Typical Internet-facing devices block most packets that come toward them, unless the stream was initiated on the inside. Site-to-site IPsec VPN tunnels can be between Internet-facing devices.

In the case of site-to-site VPNs, the source IP address of the incoming IPsec packets is known. Most sites employ some type of static IP address to the Internet, and such addresses do not change very often, if ever. Thus, when creating an access list to permit IPsec, it is not necessary to permit IPsec packets from all Internet sources. It is possible to be selective and thus more secure, with extended access lists.

Figure 13-9 shows a partial access list that is used to permit IPsec packets in the interface. In the figure, the previous interface configurations remain to show continuity.

Figure 13-9 Site-to-Site Interface Configuration

Figure 13-9 Site-to-Site Interface Configuration

Router B

192.168.102.0/24

access-list 110 permit ahp host

10.1.3.2 host 172.16.1.2 access-list 110 permit esp host

10.1.3.2 host 172.16.1.2 access-list 110 permit udp host 10.1.3.2 host 172.16.1.2 eq isakmp

Central Office

Router B

192.168.102.0/24

192.168.101.0/24

192.168.101.0/24

access-list 110 permit ahp host

10.1.3.2 host 172.16.1.2 access-list 110 permit esp host

10.1.3.2 host 172.16.1.2 access-list 110 permit udp host 10.1.3.2 host 172.16.1.2 eq isakmp access-list 120 permit ahp host

172.16.1.2 host 10.1.3.2 access-list 120 permit esp host

172.16.1.2 host 10.1.3.2 access-list 120 permit udp host 172.16.1.2 host 10.1.3.2 eq isakmp interface serial 2/1 ip address 172.16.1.2 255.255.255. crypto map to-central ip access-group 110 in interface serial 3/2 ip address 10.1.3.2 255.255.255. crypto map to-remote ip access-group 120 in

The Internet-facing access list could be quite large or may simply deny everything unless it is already established. In either case, the three statements shown in Figure 13-9 represent the addition of AH, ESP, and IKE to the already-existing access list. These three lines in the access list also are very particular about the source and destination IP addresses that such traffic is permitted through the interface.

Was this article helpful?

0 0

Post a comment