Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn traffic & fields

Hi Netpro Team,

Could you please answer the queries...

Query1 :- May i know what are the fields get attached to, while a vpn traffic is passing through a tunnel....         

Query2 :- which is the mechanism used to calculate the number of ACLs in asa.

Query3 :- Difference between router and firewall ACL..

regards()

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

vpn traffic & fields

Query 1: do you mean which protocol and ports is VPN traffic? I assume that you mean IPSec VPN, so they are normally UDP/500, UDP/4500, ESP, and/or AH

Query 2: the number of lines in the output of "show access-list", which includes the expansion of ACL if object-group is created.

Query 3: cisco router uses wild card mask while cisco firewall uses netmask. Router ACL is stateless, while Firewall ACL is stateful, which means you only need to configure ACL in one direction, ie: where the traffic is initiated.

Hope that answers your questions.

Super Bronze

vpn traffic & fields

With GRE tunnels, it would be:

[GRE: source: 172.16.1.1 destination: 172.16.1.2] + [Payload: source: 10.10.1.0/24 + destination: 10.10.2.0/24]

Traffic will be routed through the GRE tunnel, and at the remote GRE tunnel interface will strip off the GRE header, and will be routed towards the destination subnet.

12 REPLIES
Super Bronze

vpn traffic & fields

Query 1: do you mean which protocol and ports is VPN traffic? I assume that you mean IPSec VPN, so they are normally UDP/500, UDP/4500, ESP, and/or AH

Query 2: the number of lines in the output of "show access-list", which includes the expansion of ACL if object-group is created.

Query 3: cisco router uses wild card mask while cisco firewall uses netmask. Router ACL is stateless, while Firewall ACL is stateful, which means you only need to configure ACL in one direction, ie: where the traffic is initiated.

Hope that answers your questions.

New Member

vpn traffic & fields

Thanks Jennifer,

I was looking for the answer - Router ACL is stateless, while Firewall ACL is stateful !!!

For the first query, please confirm if the below would suit.

[ipheader] + [AH-ESP] + [Payload]

     where ipheader = ip.src + ip.srcport + ip.dst + ip.dstport

And the traffic flow of an ipsec traffic would be as given below ??

reciev-pkt -> ingress interface -> received pkt-> check conn table -> check xlate->check acl-> vpn-crypto-match -> check inpsect-csc->check nat-ip-header->check ips->egress interface->check routing->check L2-addr -> transmit packet

Thanks in advance...

Super Bronze

vpn traffic & fields

[ipheader] only includes ip.src + ip.dst as IP doesn't have ports

Here is a doc on AH and ESP packet for your reference:

http://www.cisco.com/en/US/partner/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2

Here is a packet flow through ASA firewall:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml

New Member

vpn traffic & fields

ooops sorry..i knew. ip header will have only ip and tcp header has ports..sorry.

below link is not working..for ah/esp

http://www.cisco.com/en/US/partner/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2    

Super Bronze

vpn traffic & fields

New Member

vpn traffic & fields

sorry, it does not open, it gives Forbidden File or Application..

could you pls download the same and share...

Super Bronze

vpn traffic & fields

Pls try to close your browser, or try with another browser as that URL is public and you should be able to access it:

http://www.cisco.com/en/US/customer/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2

New Member

vpn traffic & fields

Hi,

Can you please tell me, what are the field get attached to the ipheader, when the ipsec traffic is going thru a GRE tunnel.

Super Bronze

vpn traffic & fields

For GRE over IPSec, it would be:

[ipheader] + [ESP] + [GRE] + [Payload]

New Member

vpn traffic & fields

Thanks for the update...

if we talk more specifically, for example, there is a gre tunnel with the peers, 172.16.1.1-2 and the two networks in both ends are 10.10.1.0/24 and 10.10.2.0/24 with ospf running.. Then what are all the fields get added in here if we go in deep...

Super Bronze

vpn traffic & fields

With GRE tunnels, it would be:

[GRE: source: 172.16.1.1 destination: 172.16.1.2] + [Payload: source: 10.10.1.0/24 + destination: 10.10.2.0/24]

Traffic will be routed through the GRE tunnel, and at the remote GRE tunnel interface will strip off the GRE header, and will be routed towards the destination subnet.

New Member

vpn traffic & fields

thanks for the update.

578
Views
0
Helpful
12
Replies