I have a hub IOS router with CBAC enabled and ipsec tunnels coming in from spoke LANs over the internet.
The only way I have been able to get this working correctly is to allow the spoke private address ranges through the outside interface inbound access-list of the hub router, together with esp and isakmp from the remote vpn endpoint.
Otherwise traffic does not travel from spoke LAN to hub LAN.
eg : (hub router config)
access-list 110 permit ip 10.0.0.0 0.0.15.255 10.2.128.0 0.0.15.255
I apply this access-list inbound, to the outside interface of my router.
The second and third lines of the access-list permit esp and isakmp, but it will not work unless I have the first line also, which defines traffic from the spoke internal network to the nub internal network address range.
Allowing these PRIVATE address ranges through to my internal network appears to be a security hole.
Is there any way I can allow the encrypted traffic through but not allow the private address range. ?
I still think that this is the only way to allow the traffic thru. The routers dont have a command as in the pix "sysopt connection permit-ipsec". IMHO this is the better way to go using the ACL on the inbound interface because you can limit what traffic is coming in.
As far as this being a security hole. If someone were to spoof these private addresses the router will do a check on the traffic and see that it is supposed to be encrypted via the crypto map therefore if it is not encrypted then the traffic will just be dropped.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :