Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Order of Implementaion regarding IPSec Packets and IOS Access Lists

Hi,

We have a 1721 router at a remote site connecting to a VPN3000 concentrator using pre-shared key and DES as encryption.

Internal addressing at central site is 172.16.x.x.

On 1721 ethernet0 has ip address x.x.x.x connected to VPN 3000 public interface y.y.y.y

On 1721 i have also applied an Incoming Access List that only permits packets from y.y.y.y and denies everything else.

But with this configuration Tunnel is established but the Packets from 172.16.x.x network are blocked. If i add a "permit entry for 172.16.x.x network in the Access list then everything works.

However this would cause a problem that even if i get 172.16.x.x packets from outside the tunnel (i.e outside of our central office)they will also be allowed. I know that this is a remote possibility but there are some Networks that don't block outgoing packets destined for Private Address Space.

It seems to me that Router first decrypts the Packets and then Applies the Access List Rules ?

Is there a workaround for this ? OR Am I missing some configuration Step ?

4 REPLIES
Cisco Employee

Re: Order of Implementaion regarding IPSec Packets and IOS Acces

What version of code are you running on the 1721?

Thanks

Nairi

New Member

Re: Order of Implementaion regarding IPSec Packets and IOS Acces

Hi,

Thanx for the reply. Version is 12.2(11)T, which is pretty recent.

Cisco Employee

Re: Order of Implementaion regarding IPSec Packets and IOS Acces

There is a bug open for this issue. The bug id is CSCdm01118. It is not fixed yet. You have the option of allowing the private networks in the ACL or to use GRE over IPSEC.

Hope this helps,

-Nairi

New Member

Re: Order of Implementaion regarding IPSec Packets and IOS Acces

Thanx. This was very helpful.

94
Views
0
Helpful
4
Replies
CreatePlease login to create content