Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
3
Replies

ACL with IPSec-NAT on border router

colegul
Level 1
Level 1

‎08-27-2001 02:42 PM - edited ‎02-21-2020 11:24 AM

I have a border router (3640), connected directly to Internet and internally to a small LAN, which is doing NAT and IPSec. No public services are inside. Beside IOS firewall, how can I build an ACL, to allow crypto traffic and Internet browsing to work properly for users and block everything else. I thought of allowing IPSec to terminate at the outside interface, allow tcp established and deny everything else. Is this enough? What about UDP?

Thanks!

Labels:
0 Helpful
3 Replies 3

rajeshthayyath
Level 1
Level 1

‎08-31-2001 08:02 AM

You can use the tcp established access-list to block all the incoming traffic except for those traffic originated from inside network. As you are terminating ipsec at the outside interface you don't have to do anything. If you want to extend ipsec to the inside network, you have to open port for udp(500) and protocols AH(51) and ESP(50)based on which one you use or both. In this case you need to take care of allowing the traffic which is not in "established" state.

regards

0 Helpful

colegul
Level 1
Level 1
In response to rajeshthayyath

‎09-01-2001 01:50 PM

So if I only permit tcp established, udp and deny everything else (ip any any log) it should be enough?

Thanks!

0 Helpful

rajeshthayyath
Level 1
Level 1
In response to colegul

‎09-07-2001 01:27 PM

Thats right

0 Helpful
Customers Also Viewed These Support Documents