08-27-2001 02:42 PM - edited 02-21-2020 11:24 AM
I have a border router (3640), connected directly to Internet and internally to a small LAN, which is doing NAT and IPSec. No public services are inside. Beside IOS firewall, how can I build an ACL, to allow crypto traffic and Internet browsing to work properly for users and block everything else. I thought of allowing IPSec to terminate at the outside interface, allow tcp established and deny everything else. Is this enough? What about UDP?
Thanks!
08-31-2001 08:02 AM
You can use the tcp established access-list to block all the incoming traffic except for those traffic originated from inside network. As you are terminating ipsec at the outside interface you don't have to do anything. If you want to extend ipsec to the inside network, you have to open port for udp(500) and protocols AH(51) and ESP(50)based on which one you use or both. In this case you need to take care of allowing the traffic which is not in "established" state.
regards
09-01-2001 01:50 PM
So if I only permit tcp established, udp and deny everything else (ip any any log) it should be enough?
Thanks!
09-07-2001 01:27 PM
Thats right
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide