I have 1 PIX configured with dynamic crypto map. The remote routers will dial to ISP and establish IPSec tunnels to PIX. How do I control the encrypted packet initiated from remote routers ? Can PIX control/filter the encrypted packet after decryption ?
Re: Control encrypted packet for dynamic crypto map
Do you mean you want to filter the packets from these remote sites after they've been decrypted by the PIX?
If so, you can't really do it easily. Usually in the PIX config you'll have a "sysopt connection permit-ipsec" command which allows IPSec packets into the PIX bypassing all the ACL's. If you don't have this, you have to create an ACL on your crypto interface that says "allow IPSec and ISAKMP packets into this interface". You really can't filter the decrypted packet at this point cause the PIX doesn't see it.
About the only way to do it is to filter the packet as it is replied to by the internal host and comes into the inside interface of the PIX. This still allows the packet to reach the internal host, but stops the reply from getting back to the end user.
Alternatively, on the remote routers simply modify your crypto ACL to only include access to the specific hosts you want, rather than to the whole PIX inside subnet.
My situation is: I have PIX with fixed public IP. The remote routers obtain dynamic IP from ISP and the router configuration is not UNDER MY CONTROL. The IPSec tunnels are initiated by remote routers. What is the best for me to control the IPSec traffic ?
For PIX dynamic crypto map, the PIX will create crypto ACL which is mirror to remote router's crypto ACL.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...