Re: Order of Implementaion regarding IPSec Packets and IOS Acces

mnlatif · ‎10-25-2002

Hi,

We have a 1721 router at a remote site connecting to a VPN3000 concentrator using pre-shared key and DES as encryption.

Internal addressing at central site is 172.16.x.x.

On 1721 ethernet0 has ip address x.x.x.x connected to VPN 3000 public interface y.y.y.y

On 1721 i have also applied an Incoming Access List that only permits packets from y.y.y.y and denies everything else.

But with this configuration Tunnel is established but the Packets from 172.16.x.x network are blocked. If i add a "permit entry for 172.16.x.x network in the Access list then everything works.

However this would cause a problem that even if i get 172.16.x.x packets from outside the tunnel (i.e outside of our central office)they will also be allowed. I know that this is a remote possibility but there are some Networks that don't block outgoing packets destined for Private Address Space.

It seems to me that Router first decrypts the Packets and then Applies the Access List Rules ?

Is there a workaround for this ? OR Am I missing some configuration Step ?

Nairi Adamian · ‎10-25-2002

What version of code are you running on the 1721?

Thanks

Nairi

mnlatif · ‎10-25-2002

Hi,

Thanx for the reply. Version is 12.2(11)T, which is pretty recent.

Nairi Adamian · ‎10-27-2002

There is a bug open for this issue. The bug id is CSCdm01118. It is not fixed yet. You have the option of allowing the private networks in the ACL or to use GRE over IPSEC.

Hope this helps,

-Nairi

mnlatif · ‎10-28-2002

Thanx. This was very helpful.

Order of Implementaion regarding IPSec Packets and IOS Access Lists