Cisco 2600 implement ipsec passthrough

geronimo974 · ‎08-04-2009

Hello, at work we have :

internet--cisco2600--firewall(openbsd)--LAN

on our lan we have a ftp server, we have configured vpn ipsec on openbsd using ike(esp) to secure our ftp on internet.

Now, i want to configure my cisco to pass ipsec passthrough packets. Can you help me please?

Thank's

John Blakley · ‎08-04-2009

Do you have any access-lists on the router? If not, it will pass everything through. If you have an acl on the outside interface on the router, you'll need to make sure that you allow:

esp

udp 500

HTH,

John

HTH, John *** Please rate all useful posts ***

cisco24x7 · ‎08-04-2009

let say cisco 2600 public ip address is 1.1.1.1 and openBSD firewall external IP facing the cisco router is 192.168.1.1

and that the cisco router is connected to the OpenBSD firewall is 192.168.1.254. Here is how you do it:

interface f0/0

ip nat outside

ip address 1.1.1.1 255.255.255.252

ip access-group 100 in

interface f0/1

ip nat inside

ip address 192.168.1.254

access-list 100 permit udp any any eq 500 log

access-list 100 permit esp any any log

access-list 100 permit udp any any eq 4500 log

ip nat inside source static udp 192.168.1.1 500 interface f0/0 500

ip nat inside source static esp 192.168.1.1 interface f0/0

ip nat inside source static udp 192.168.1.1 4500 interface f0/0 4500

Basically anyone connect to the cisco 2600 will be forward to the OpenBSD firewall for VPN access. This works

for both remote access and L2L VPN.

Easy right?