Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

How do I inspect when I use site-tosite VPN?

I was implementing site-to-site VPN on the ISR router(SecurityIOS) and the ASA 5510 firewall.

what are protocol that I need to inspect on ISR router?

please advices or point me to useful links.

Thanks in advance

5 REPLIES
Hall of Fame Super Blue

Re: How do I inspect when I use site-tosite VPN?

Hi

Not entirely sure what you mean. If you mean which protocols do you need to allow for IPSEC to work

UDP port 500

ESP port 50

AH port 51 ( optional as authentication is usually done with ESP).

HTH

Jon

Re: How do I inspect when I use site-tosite VPN?

Many thanks Jon

Let me explain further.

I implement site-to-site VPN that working just fine.When I configure ip inspect command on router for doing a firewall on ISR router then I can't use site-to-site VPN anymore.

List of commands that I added on ISR router.

: ip inspect name myfirewall https

: ip inspect name myfirewall http

: ip inspect name myfirewall isakmp

: ip inspect name myfirewall ipsec-msft

Still can't work. what is command that I need to add?

Hall of Fame Super Blue

Re: How do I inspect when I use site-tosite VPN?

Hi

When you are using inspect what does your access-list that you use allow. You will need to allow the ports and protocols in that access-list before you add a deny any any.

Does this make sense ?.

If not could you post your router config minus any sensitive information.

Jon

Gold

Re: How do I inspect when I use site-tosite VPN?

sidenote:

i dont think ASA's support AH, but that seems irrelevant to this thread.

Re: How do I inspect when I use site-tosite VPN?

Hi john

Many thanks for your help. Now I achieve this goal. look like this

For ip inspect :

ip inspect name GotoInternet http

ip inspect name GotoInternet https

To deny all traffics from untrust zone and allow necessary port for site-to-site VPN

ip access-list extended DenyAnyTraffic

permit udp host x.x.x.x any eq isakmp

permit udp host x.x.x.x any eq non500-isakmp

permit udp host x.x.x.x eq isakmp any

permit esp host x.x.x.x any

deny ip any any

I have already created crypto map then apply parameters to interface

interface Serial0/1/1

bandwidth 512

ip address y.y.y.y 255.255.255.252

ip access-group DenyAnyTraffic in

ip nat outside

ip inspect GotoInternet out

ip virtual-reassembly

crypto map XXX

!

Jon, you would deserve a rating ;-)

L.Thot

131
Views
8
Helpful
5
Replies