06-05-2007 06:27 PM - edited 03-11-2019 03:25 AM
I was implementing site-to-site VPN on the ISR router(SecurityIOS) and the ASA 5510 firewall.
what are protocol that I need to inspect on ISR router?
please advices or point me to useful links.
Thanks in advance
06-06-2007 12:12 AM
Hi
Not entirely sure what you mean. If you mean which protocols do you need to allow for IPSEC to work
UDP port 500
ESP port 50
AH port 51 ( optional as authentication is usually done with ESP).
HTH
Jon
06-06-2007 01:39 AM
Many thanks Jon
Let me explain further.
I implement site-to-site VPN that working just fine.When I configure ip inspect command on router for doing a firewall on ISR router then I can't use site-to-site VPN anymore.
List of commands that I added on ISR router.
: ip inspect name myfirewall https
: ip inspect name myfirewall http
: ip inspect name myfirewall isakmp
: ip inspect name myfirewall ipsec-msft
Still can't work. what is command that I need to add?
06-06-2007 01:44 AM
Hi
When you are using inspect what does your access-list that you use allow. You will need to allow the ports and protocols in that access-list before you add a deny any any.
Does this make sense ?.
If not could you post your router config minus any sensitive information.
Jon
06-06-2007 05:45 AM
sidenote:
i dont think ASA's support AH, but that seems irrelevant to this thread.
06-10-2007 12:32 AM
Hi john
Many thanks for your help. Now I achieve this goal. look like this
For ip inspect :
ip inspect name GotoInternet http
ip inspect name GotoInternet https
To deny all traffics from untrust zone and allow necessary port for site-to-site VPN
ip access-list extended DenyAnyTraffic
permit udp host x.x.x.x any eq isakmp
permit udp host x.x.x.x any eq non500-isakmp
permit udp host x.x.x.x eq isakmp any
permit esp host x.x.x.x any
deny ip any any
I have already created crypto map then apply parameters to interface
interface Serial0/1/1
bandwidth 512
ip address y.y.y.y 255.255.255.252
ip access-group DenyAnyTraffic in
ip nat outside
ip inspect GotoInternet out
ip virtual-reassembly
crypto map XXX
!
Jon, you would deserve a rating ;-)
L.Thot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide