approriate filters on ext interface regarding encrypted traffic
I have sinlge DES encryped tunnel between a 2621 and 1710 each network being private NAT'ed, etc (similar to article titled 'Configuring IPSec Router-to-Router,Pre-Shared,NAT Overload Between Private Networks') The connection comes up QM_IDLE fine and works.
On my external interfaces I have filters on inbound traffic acting as a firewall. I was under the impression that any traffic that was encryped did not have to be allowed through the inbound filters on the opposite router but rather all encryped trafic by-passed that filter. It appears that is not true and that I must allow my private net traffic through those inbound filters(for practical purposes all ip traffic from that private net).
The security issue I see with this is if my private numbering on one of my networks(netA) is the same as another companies network that shares a subnet on a high speed ISP on another network of mine(netB) then in theory my inbound filter on netB will allow not only all IP encrypted netA traffic but also all IP traffic from the other company utilizing the same ISP.
-Is my understanding correct?
-Is there a better way to setup permits on my external interfaces' inbound filters(than just to all all of the other nets' IP traffic)?
-Are there any articles explaining the most secure way to setup these filters to work with the crypto tunnels?
-If I allow all encrpted IP traffic through my external filters how do i know it's even encrpted?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...