Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL with IPSec-NAT on border router

I have a border router (3640), connected directly to Internet and internally to a small LAN, which is doing NAT and IPSec. No public services are inside. Beside IOS firewall, how can I build an ACL, to allow crypto traffic and Internet browsing to work properly for users and block everything else. I thought of allowing IPSec to terminate at the outside interface, allow tcp established and deny everything else. Is this enough? What about UDP?

Thanks!

3 REPLIES
New Member

Re: ACL with IPSec-NAT on border router

You can use the tcp established access-list to block all the incoming traffic except for those traffic originated from inside network. As you are terminating ipsec at the outside interface you don't have to do anything. If you want to extend ipsec to the inside network, you have to open port for udp(500) and protocols AH(51) and ESP(50)based on which one you use or both. In this case you need to take care of allowing the traffic which is not in "established" state.

regards

New Member

Re: ACL with IPSec-NAT on border router

So if I only permit tcp established, udp and deny everything else (ip any any log) it should be enough?

Thanks!

New Member

Re: ACL with IPSec-NAT on border router

Thats right

148
Views
0
Helpful
3
Replies
CreatePlease to create content