Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec and auth-proxy on the same interface for different users

Hi,

On a 2611 router I would like to have at the same time IPSec dynamic crypto map for Internal users coming from the Internet, and the auth-proxy feature for public user. As the order of operation on the input interface is ACL-in -> decrypt -> ACL in , a user that spoofed the IP address received on the IPSec tunnel could have access on my network, as this address is authorized in my ACL.

Any hints helping me to secure this will be welcome !

2 REPLIES
New Member

Re: IPSec and auth-proxy on the same interface for different use

New Member

Re: IPSec and auth-proxy on the same interface for different use

Thanks for the link, but I already took a look there and no examples are treating my case. The difficulty in this configuration is that I have two types of clients connecting to the network:

- public user that are authenticated through auth-proxy with Tacacs+ and Dynamic ACL received from the TACACS+

- private user that are NOT using auth-proxy, but are using IPSec Tunnel (authentifcation is also done from the TACACS+).

A solution would be to create dynamic access-list for the private user, as done for the public user, but I didn't found any example on the CCO on how to transmit an access-list to the router once the IPSec user has been authenticated....

Thanks for any help !!

Francois

88
Views
0
Helpful
2
Replies
CreatePlease to create content