How do I inspect when I use site-tosite VPN?

Unanswered Question
Jun 5th, 2007
User Badges:
  • Gold, 750 points or more

I was implementing site-to-site VPN on the ISR router(SecurityIOS) and the ASA 5510 firewall.

what are protocol that I need to inspect on ISR router?

please advices or point me to useful links.


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Jon Marshall Wed, 06/06/2007 - 00:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Not entirely sure what you mean. If you mean which protocols do you need to allow for IPSEC to work


UDP port 500

ESP port 50

AH port 51 ( optional as authentication is usually done with ESP).


HTH


Jon

thotsaphon Wed, 06/06/2007 - 01:39
User Badges:
  • Gold, 750 points or more

Many thanks Jon

Let me explain further.

I implement site-to-site VPN that working just fine.When I configure ip inspect command on router for doing a firewall on ISR router then I can't use site-to-site VPN anymore.

List of commands that I added on ISR router.

: ip inspect name myfirewall https

: ip inspect name myfirewall http

: ip inspect name myfirewall isakmp

: ip inspect name myfirewall ipsec-msft


Still can't work. what is command that I need to add?


Jon Marshall Wed, 06/06/2007 - 01:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


When you are using inspect what does your access-list that you use allow. You will need to allow the ports and protocols in that access-list before you add a deny any any.


Does this make sense ?.


If not could you post your router config minus any sensitive information.


Jon

srue Wed, 06/06/2007 - 05:45
User Badges:
  • Blue, 1500 points or more

sidenote:

i dont think ASA's support AH, but that seems irrelevant to this thread.

thotsaphon Sun, 06/10/2007 - 00:32
User Badges:
  • Gold, 750 points or more

Hi john

Many thanks for your help. Now I achieve this goal. look like this


For ip inspect :

ip inspect name GotoInternet http

ip inspect name GotoInternet https


To deny all traffics from untrust zone and allow necessary port for site-to-site VPN

ip access-list extended DenyAnyTraffic

permit udp host x.x.x.x any eq isakmp

permit udp host x.x.x.x any eq non500-isakmp

permit udp host x.x.x.x eq isakmp any

permit esp host x.x.x.x any

deny ip any any


I have already created crypto map then apply parameters to interface

interface Serial0/1/1

bandwidth 512

ip address y.y.y.y 255.255.255.252

ip access-group DenyAnyTraffic in

ip nat outside

ip inspect GotoInternet out

ip virtual-reassembly

crypto map XXX

!


Jon, you would deserve a rating ;-)

L.Thot

Actions

This Discussion