Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX IPSec Configuration

Hi,

We configured our PIX as below.

Here I would like to have a clarification regarding access-lists implecation.

As I attached "infinet1" crypto map and "acl_out" access-list to outside interface, if any traffic comming under "infinet1" access-lists like 101, 102, 103 etc will again undergo the conditions of "acl_out" access-list or not?

We observed it is not happening!!!!!!!

"acl_out" conditions are working fine with other traffic which is not falling under IPSec accss-lists.

I need to enforce these conditons "acl_out" to IPSec traffic also...how can I do it?

Regards

K V Babu

Here is my PIX configuration:

PIX520# sh config

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 failover security10

nameif ethernet3 dialup security80

enable xxxxxxxx

passwd xxxxxxxx

hostname xxxxxxx

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

no fixup protocol h323 1720

<--- More --->

names

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host 10.21.1.42 eq telnet

access-list acl_out permit tcp any host 10.21.1.43 eq 1414

access-list acl_out permit tcp any host 10.21.1.44 eq 1414

access-list acl_out permit tcp any host 10.21.1.34 eq smtp

access-list acl_out permit tcp any host 10.21.1.34 eq pop3

access-list acl_out permit tcp any host 10.21.1.34 eq 389

access-list acl_out permit tcp any host 10.21.1.34 eq 1414

access-list acl_out permit tcp any host 10.21.1.45 eq 1414

access-list acl_out permit tcp any host 10.21.1.59 eq telnet

access-list acl_out permit tcp any host 10.21.1.34 eq www

access-list acl_out permit tcp any host 10.21.1.57 eq 1414

access-list acl_out permit tcp any host 10.21.1.56 eq 1414

access-list acl_out permit tcp any host 10.21.1.55 eq telnet

access-list acl_out permit tcp any host 10.21.1.49 eq ftp

access-list acl_out permit tcp any host 10.21.1.49 eq ftp-data

access-list 101 permit ip 10.21.1.32 255.255.255.224 10.36.1.64 255.255.255.224

access-list 102 permit ip 10.21.1.32 255.255.255.224 10.36.1.32 255.255.255.224

access-list 103 permit ip 10.21.1.32 255.255.255.224 10.9.1.32 255.255.255.224

<--- More --->

access-list 104 permit ip 10.21.1.32 255.255.255.224 10.40.1.32 255.255.255.224

access-list 105 permit ip 10.21.1.32 255.255.255.224 10.64.1.32 255.255.255.224

access-list 106 permit ip 10.21.1.32 255.255.255.224 10.59.1.64 255.255.255.224

access-list 107 permit ip 10.21.1.32 255.255.255.224 10.59.1.32 255.255.255.224

access-list 108 permit ip 10.21.1.32 255.255.255.224 10.47.1.32 255.255.255.224

access-list 109 permit ip 10.21.1.32 255.255.255.224 10.5.1.32 255.255.255.224

access-list 110 permit ip 10.21.1.32 255.255.255.224 10.5.1.128 255.255.255.224

access-list 111 permit ip 10.21.1.32 255.255.255.224 10.5.1.96 255.255.255.224

access-list 112 permit ip 10.21.1.32 255.255.255.224 10.42.1.32 255.255.255.224

access-list 113 permit ip 10.21.1.32 255.255.255.224 10.42.1.64 255.255.255.224

access-list 114 permit ip 10.21.1.32 255.255.255.224 10.17.1.32 255.255.255.224

access-list acl_dialup permit icmp any any

access-list acl_dialup permit tcp any host 192.168.2.9 eq 1414

access-list acl_dialup permit tcp any host 192.168.2.9 eq 1494

access-list 117 permit ip 10.21.1.32 255.255.255.224 10.1.1.32 255.255.255.224

access-list 118 permit ip 10.21.1.32 255.255.255.224 10.38.1.32 255.255.255.224

access-list 119 permit ip 10.21.1.32 255.255.255.224 10.49.1.32 255.255.255.224

access-list 120 permit ip 10.21.1.32 255.255.255.224 10.51.1.32 255.255.255.224

access-list 121 permit ip 10.21.1.32 255.255.255.224 10.15.1.32 255.255.255.224

access-list 122 permit ip 10.21.1.32 255.255.255.224 10.53.1.32 255.255.255.224

<--- More --->

access-list 123 permit ip 10.21.1.32 255.255.255.224 10.27.1.64 255.255.255.224

access-list 124 permit ip 10.21.1.32 255.255.255.224 10.27.1.32 255.255.255.224

access-list 125 permit ip 10.21.1.32 255.255.255.224 10.27.1.128 255.255.255.224

access-list 126 permit ip 10.21.1.32 255.255.255.224 10.21.1.96 255.255.255.224

access-list 128 permit ip 10.21.1.32 255.255.255.224 10.27.1.96 255.255.255.224

access-list 130 permit ip 10.21.1.32 255.255.255.224 10.24.1.128 255.255.255.224

access-list 132 permit ip 10.21.1.32 255.255.255.224 10.24.1.32 255.255.255.224

access-list 134 permit ip 10.21.1.32 255.255.255.224 10.24.1.96 255.255.255.224

access-list 135 permit ip 10.21.1.32 255.255.255.224 10.34.1.64 255.255.255.224

access-list 136 permit ip 10.21.1.32 255.255.255.224 10.34.1.32 255.255.255.224

access-list 137 permit ip 10.21.1.32 255.255.255.224 10.55.1.128 255.255.255.224

access-list 138 permit ip 10.21.1.32 255.255.255.224 10.55.1.64 255.255.255.224

access-list 139 permit ip 10.21.1.32 255.255.255.224 10.19.1.32 255.255.255.224

access-list 140 permit ip 10.21.1.32 255.255.255.224 10.13.1.32 255.255.255.224

access-list 198 permit ip 10.21.1.32 255.255.255.224 10.0.0.0 255.255.0.0

access-list 197 permit ip 10.21.1.32 255.255.255.224 10.21.1.64 255.255.255.224

access-list 191 permit ip 10.21.1.32 255.255.255.224 10.21.1.128 255.255.255.224

access-list 115 permit ip 10.21.1.32 255.255.255.224 10.57.1.32 255.255.255.224

pager lines 20

logging on

<--- More --->

logging timestamp

logging console alerts

logging monitor debugging

logging trap debugging

logging history debugging

logging host outside 10.0.67.250

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto

mtu outside 1500

mtu inside 1500

mtu failover 1500

mtu dialup 1500

ip address outside 10.21.1.35 255.255.255.224

ip address inside 172.16.22.50 255.255.255.0

ip address failover 192.168.1.1 255.255.255.0

ip address dialup 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

<--- More --->

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 10.21.1.36

failover ip address inside 172.16.22.51

failover ip address failover 192.168.1.2

failover ip address dialup 192.168.2.2

failover link failover

pdm history enable

arp timeout 14400

global (outside) 1 10.21.1.62

global (dialup) 1 192.168.2.10-192.168.2.20

nat (inside) 1 172.16.150.1 255.255.255.255 0 0

nat (inside) 1 172.16.150.2 255.255.255.255 0 0

nat (inside) 1 172.16.150.3 255.255.255.255 0 0

nat (inside) 1 172.16.150.110 255.255.255.255 0 0

nat (inside) 1 172.16.150.150 255.255.255.255 0 0

nat (inside) 1 172.16.150.151 255.255.255.255 0 0

nat (inside) 1 172.16.150.153 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

<--- More --->

nat (dialup) 1 192.168.2.0 255.255.255.0 0 0

static (inside,outside) 10.21.1.43 172.16.150.2 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.44 172.16.150.3 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.34 172.16.12.50 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.42 172.16.150.151 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.59 172.16.3.251 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.45 172.16.150.1 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.57 172.16.7.151 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.56 172.16.13.50 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.47 172.16.22.200 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.55 172.16.22.2 netmask 255.255.255.255 0 0

static (dialup,outside) 10.21.1.46 192.168.2.3 netmask 255.255.255.255 0 0

static (inside,dialup) 192.168.2.9 172.16.150.2 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.49 172.16.22.10 netmask 255.255.255.255 0 0

static (inside,outside) 10.21.1.58 172.16.10.58 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_dialup in interface dialup

established tcp 0 1414 permitto tcp 1414 permitfrom tcp 1024-65535

route outside 10.0.0.0 255.0.0.0 10.21.1.41 1

route outside 10.0.0.0 255.0.0.0 10.21.1.50 2

<--- More --->

route outside 10.0.0.0 255.0.0.0 10.21.1.33 3

route inside 172.16.0.0 255.255.0.0 172.16.22.243 1

route outside 202.54.63.221 255.255.255.255 10.21.1.41 1

route outside 203.197.140.9 255.255.255.255 10.21.1.41 1

timeout xlate 23:59:59

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 172.16.25.2 255.255.255.255 inside

http 172.16.25.1 255.255.255.255 inside

snmp-server host inside 10.0.67.250

snmp-server host inside 172.16.7.206

no snmp-server location

no snmp-server contact

snmp-server community cmc

snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

<--- More --->

no sysopt route dnat

crypto ipsec transform-set mumroset esp-des esp-sha-hmac

crypto ipsec transform-set mumroset1 esp-des esp-sha-hmac

crypto map infinet1 1 ipsec-isakmp

crypto map infinet1 1 match address 101

crypto map infinet1 1 set peer 10.36.254.10

crypto map infinet1 1 set transform-set mumroset1

crypto map infinet1 2 ipsec-isakmp

crypto map infinet1 2 match address 102

crypto map infinet1 2 set peer 10.36.254.6

crypto map infinet1 2 set peer 10.36.254.13

crypto map infinet1 2 set transform-set mumroset1

crypto map infinet1 3 ipsec-isakmp

crypto map infinet1 3 match address 103

crypto map infinet1 3 set peer 10.1.254.18

crypto map infinet1 3 set peer 10.1.254.21

crypto map infinet1 3 set peer 10.5.254.5

crypto map infinet1 3 set transform-set mumroset1

crypto map infinet1 4 ipsec-isakmp

crypto map infinet1 4 match address 104

<--- More --->

crypto map infinet1 4 set peer 10.36.254.41

crypto map infinet1 4 set peer 10.36.254.22

crypto map infinet1 4 set transform-set mumroset1

crypto map infinet1 5 ipsec-isakmp

crypto map infinet1 5 match address 105

crypto map infinet1 5 set peer 10.51.254.33

crypto map infinet1 5 set peer 10.51.254.26

crypto map infinet1 5 set transform-set mumroset1

crypto map infinet1 6 ipsec-isakmp

crypto map infinet1 6 match address 106

crypto map infinet1 6 set peer 10.51.254.42

crypto map infinet1 6 set transform-set mumroset1

crypto map infinet1 7 ipsec-isakmp

crypto map infinet1 7 match address 107

crypto map infinet1 7 set peer 10.1.254.74

crypto map infinet1 7 set transform-set mumroset1

crypto map infinet1 8 ipsec-isakmp

crypto map infinet1 8 match address 108

crypto map infinet1 8 set peer 10.36.254.34

crypto map infinet1 8 set peer 10.36.254.38

<--- More --->

crypto map infinet1 8 set transform-set mumroset1

crypto map infinet1 9 ipsec-isakmp

crypto map infinet1 9 match address 109

crypto map infinet1 9 set peer 10.5.254.14

crypto map infinet1 9 set peer 10.5.1.205

crypto map infinet1 9 set transform-set mumroset1

crypto map infinet1 10 ipsec-isakmp

crypto map infinet1 10 match address 110

crypto map infinet1 10 set peer 10.5.254.10

crypto map infinet1 10 set transform-set mumroset1

crypto map infinet1 11 ipsec-isakmp

crypto map infinet1 11 match address 111

crypto map infinet1 11 set peer 10.1.254.54

crypto map infinet1 11 set transform-set mumroset1

crypto map infinet1 12 ipsec-isakmp

crypto map infinet1 12 match address 112

crypto map infinet1 12 set peer 10.36.254.26

crypto map infinet1 12 set transform-set mumroset1

crypto map infinet1 13 ipsec-isakmp

crypto map infinet1 13 match address 113

<--- More --->

crypto map infinet1 13 set peer 10.1.254.58

crypto map infinet1 13 set transform-set mumroset1

crypto map infinet1 14 ipsec-isakmp

crypto map infinet1 14 match address 114

crypto map infinet1 14 set peer 10.5.254.26

crypto map infinet1 14 set peer 10.5.254.29

crypto map infinet1 14 set transform-set mumroset1

crypto map infinet1 15 ipsec-isakmp

crypto map infinet1 15 match address 115

crypto map infinet1 15 set peer 10.51.254.21

crypto map infinet1 15 set peer 10.51.254.18

crypto map infinet1 15 set transform-set mumroset

crypto map infinet1 16 ipsec-isakmp

crypto map infinet1 16 match address 198

crypto map infinet1 16 set peer 10.1.254.46

crypto map infinet1 16 set transform-set mumroset1

crypto map infinet1 17 ipsec-isakmp

crypto map infinet1 17 match address 117

crypto map infinet1 17 set peer 10.2.254.6

crypto map infinet1 17 set transform-set mumroset1

<--- More --->

crypto map infinet1 18 ipsec-isakmp

crypto map infinet1 18 match address 118

crypto map infinet1 18 set peer 10.36.254.17

crypto map infinet1 18 set peer 10.36.254.14

crypto map infinet1 18 set peer 10.36.254.21

crypto map infinet1 18 set transform-set mumroset1

crypto map infinet1 19 ipsec-isakmp

crypto map infinet1 19 match address 119

crypto map infinet1 19 set peer 10.36.254.30

crypto map infinet1 19 set peer 10.36.254.37

crypto map infinet1 19 set transform-set mumroset1

crypto map infinet1 20 ipsec-isakmp

crypto map infinet1 20 match address 120

crypto map infinet1 20 set peer 10.51.254.6

crypto map infinet1 20 set peer 10.51.254.13

crypto map infinet1 20 set transform-set mumroset1

crypto map infinet1 21 ipsec-isakmp

crypto map infinet1 21 match address 121

crypto map infinet1 21 set peer 10.5.254.6

crypto map infinet1 21 set peer 10.5.254.21

<--- More --->

crypto map infinet1 21 set peer 10.5.254.25

crypto map infinet1 21 set transform-set mumroset1

crypto map infinet1 22 ipsec-isakmp

crypto map infinet1 22 match address 122

crypto map infinet1 22 set peer 10.51.254.10

crypto map infinet1 22 set transform-set mumroset1

crypto map infinet1 23 ipsec-isakmp

crypto map infinet1 23 match address 123

crypto map infinet1 23 set peer 10.1.254.114

crypto map infinet1 23 set peer 10.1.254.110

crypto map infinet1 23 set transform-set mumroset1

crypto map infinet1 24 ipsec-isakmp

crypto map infinet1 24 match address 124

crypto map infinet1 24 set peer 10.1.254.117

crypto map infinet1 24 set peer 10.1.254.125

crypto map infinet1 24 set peer 10.1.254.121

crypto map infinet1 24 set peer 10.1.254.161

crypto map infinet1 24 set peer 10.1.254.157

crypto map infinet1 24 set peer 10.1.254.113

crypto map infinet1 24 set peer 10.1.254.145

<--- More --->

crypto map infinet1 24 set peer 10.1.254.141

crypto map infinet1 24 set transform-set mumroset1

crypto map infinet1 25 ipsec-isakmp

crypto map infinet1 25 match address 125

crypto map infinet1 25 set peer 10.1.254.142

crypto map infinet1 25 set peer 10.1.254.138

crypto map infinet1 25 set transform-set mumroset1

crypto map infinet1 26 ipsec-isakmp

crypto map infinet1 26 match address 126

crypto map infinet1 26 set peer 10.1.254.150

crypto map infinet1 26 set peer 10.1.254.162

crypto map infinet1 26 set transform-set mumroset1

crypto map infinet1 27 ipsec-isakmp

crypto map infinet1 27 match address 197

crypto map infinet1 27 set peer 10.1.254.130

crypto map infinet1 27 set peer 10.1.254.118

crypto map infinet1 27 set peer 10.1.254.126

crypto map infinet1 27 set peer 10.1.254.153

crypto map infinet1 27 set transform-set mumroset1

crypto map infinet1 28 ipsec-isakmp

<--- More --->

crypto map infinet1 28 match address 128

crypto map infinet1 28 set peer 10.1.254.146

crypto map infinet1 28 set peer 10.1.254.137

crypto map infinet1 28 set transform-set mumroset1

crypto map infinet1 30 ipsec-isakmp

crypto map infinet1 30 match address 130

crypto map infinet1 30 set peer 10.27.254.49

crypto map infinet1 30 set transform-set mumroset1

crypto map infinet1 31 ipsec-isakmp

crypto map infinet1 31 match address 191

crypto map infinet1 31 set peer 10.27.254.45

crypto map infinet1 31 set transform-set mumroset1

crypto map infinet1 32 ipsec-isakmp

crypto map infinet1 32 match address 132

crypto map infinet1 32 set peer 10.24.1.60

crypto map infinet1 32 set transform-set mumroset1

crypto map infinet1 34 ipsec-isakmp

crypto map infinet1 34 match address 134

crypto map infinet1 34 set peer 10.1.254.154

crypto map infinet1 34 set peer 10.1.254.158

<--- More --->

crypto map infinet1 34 set transform-set mumroset1

crypto map infinet1 35 ipsec-isakmp

crypto map infinet1 35 match address 135

crypto map infinet1 35 set peer 10.51.254.38

crypto map infinet1 35 set transform-set mumroset1

crypto map infinet1 36 ipsec-isakmp

crypto map infinet1 36 match address 136

crypto map infinet1 36 set peer 10.1.254.26

crypto map infinet1 36 set peer 10.1.254.29

crypto map infinet1 36 set peer 10.51.254.34

crypto map infinet1 36 set transform-set mumroset1

crypto map infinet1 37 ipsec-isakmp

crypto map infinet1 37 match address 137

crypto map infinet1 37 set peer 10.51.254.30

crypto map infinet1 37 set peer 10.51.254.14

crypto map infinet1 37 set peer 10.51.254.17

crypto map infinet1 37 set transform-set mumroset1

crypto map infinet1 38 ipsec-isakmp

crypto map infinet1 38 match address 138

crypto map infinet1 38 set peer 10.51.254.46

<--- More --->

crypto map infinet1 38 set transform-set mumroset1

crypto map infinet1 39 ipsec-isakmp

crypto map infinet1 39 match address 139

crypto map infinet1 39 set peer 10.5.254.33

crypto map infinet1 39 set peer 10.5.254.30

crypto map infinet1 39 set transform-set mumroset1

crypto map infinet1 40 ipsec-isakmp

crypto map infinet1 40 match address 140

crypto map infinet1 40 set peer 10.5.254.18

crypto map infinet1 40 set peer 10.5.254.22

crypto map infinet1 40 set transform-set mumroset1

crypto map infinet1 interface outside

isakmp enable outside

isakmp key ******** address 10.36.254.10 netmask 255.255.255.255

isakmp key ******** address 10.36.254.6 netmask 255.255.255.255

isakmp key ******** address 10.36.254.13 netmask 255.255.255.255

isakmp key ******** address 10.1.254.18 netmask 255.255.255.255

isakmp key ******** address 10.1.254.21 netmask 255.255.255.255

isakmp key ******** address 10.5.254.5 netmask 255.255.255.255

isakmp key ******** address 10.36.254.41 netmask 255.255.255.255

<--- More --->

isakmp key ******** address 10.36.254.22 netmask 255.255.255.255

isakmp key ******** address 10.51.254.33 netmask 255.255.255.255

isakmp key ******** address 10.51.254.26 netmask 255.255.255.255

isakmp key ******** address 10.51.254.42 netmask 255.255.255.255

isakmp key ******** address 10.1.254.74 netmask 255.255.255.255

isakmp key ******** address 10.36.254.34 netmask 255.255.255.255

isakmp key ******** address 10.36.254.38 netmask 255.255.255.255

isakmp key ******** address 10.5.254.14 netmask 255.255.255.255

isakmp key ******** address 10.5.254.10 netmask 255.255.255.255

isakmp key ******** address 10.1.254.54 netmask 255.255.255.255

isakmp key ******** address 10.36.254.26 netmask 255.255.255.255

isakmp key ******** address 10.1.254.58 netmask 255.255.255.255

isakmp key ******** address 10.5.254.26 netmask 255.255.255.255

isakmp key ******** address 10.5.254.29 netmask 255.255.255.255

isakmp key ******** address 10.1.254.46 netmask 255.255.255.255

isakmp key ******** address 10.2.254.6 netmask 255.255.255.255

isakmp key ******** address 10.36.254.17 netmask 255.255.255.255

isakmp key ******** address 10.36.254.14 netmask 255.255.255.255

isakmp key ******** address 10.36.254.21 netmask 255.255.255.255

isakmp key ******** address 10.36.254.30 netmask 255.255.255.255

<--- More --->

isakmp key ******** address 10.36.254.37 netmask 255.255.255.255

isakmp key ******** address 10.51.254.6 netmask 255.255.255.255

isakmp key ******** address 10.51.254.13 netmask 255.255.255.255

isakmp key ******** address 10.5.254.6 netmask 255.255.255.255

isakmp key ******** address 10.5.254.21 netmask 255.255.255.255

isakmp key ******** address 10.5.254.25 netmask 255.255.255.255

isakmp key ******** address 10.51.254.10 netmask 255.255.255.255

isakmp key ******** address 10.1.254.114 netmask 255.255.255.255

isakmp key ******** address 10.1.254.117 netmask 255.255.255.255

isakmp key ******** address 10.1.254.125 netmask 255.255.255.255

isakmp key ******** address 10.1.254.121 netmask 255.255.255.255

isakmp key ******** address 10.1.254.161 netmask 255.255.255.255

isakmp key ******** address 10.1.254.157 netmask 255.255.255.255

isakmp key ******** address 10.1.254.113 netmask 255.255.255.255

isakmp key ******** address 10.1.254.145 netmask 255.255.255.255

isakmp key ******** address 10.1.254.141 netmask 255.255.255.255

isakmp key ******** address 10.1.254.142 netmask 255.255.255.255

isakmp key ******** address 10.1.254.138 netmask 255.255.255.255

isakmp key ******** address 10.1.254.150 netmask 255.255.255.255

isakmp key ******** address 10.1.254.162 netmask 255.255.255.255

<--- More --->

isakmp key ******** address 10.1.254.130 netmask 255.255.255.255

isakmp key ******** address 10.1.254.118 netmask 255.255.255.255

isakmp key ******** address 10.1.254.126 netmask 255.255.255.255

isakmp key ******** address 10.1.254.153 netmask 255.255.255.255

isakmp key ******** address 10.1.254.146 netmask 255.255.255.255

isakmp key ******** address 10.1.254.137 netmask 255.255.255.255

isakmp key ******** address 10.27.254.49 netmask 255.255.255.255

isakmp key ******** address 10.27.254.45 netmask 255.255.255.255

isakmp key ******** address 10.24.1.60 netmask 255.255.255.255

isakmp key ******** address 10.1.254.154 netmask 255.255.255.255

isakmp key ******** address 10.1.254.158 netmask 255.255.255.255

isakmp key ******** address 10.51.254.38 netmask 255.255.255.255

isakmp key ******** address 10.1.254.26 netmask 255.255.255.255

isakmp key ******** address 10.1.254.29 netmask 255.255.255.255

isakmp key ******** address 10.51.254.34 netmask 255.255.255.255

isakmp key ******** address 10.51.254.30 netmask 255.255.255.255

isakmp key ******** address 10.51.254.14 netmask 255.255.255.255

isakmp key ******** address 10.51.254.17 netmask 255.255.255.255

isakmp key ******** address 10.51.254.46 netmask 255.255.255.255

isakmp key ******** address 10.5.254.33 netmask 255.255.255.255

<--- More --->

isakmp key ******** address 10.5.254.30 netmask 255.255.255.255

isakmp key ******** address 10.5.254.18 netmask 255.255.255.255

isakmp key ******** address 10.5.254.22 netmask 255.255.255.255

isakmp key ******** address 10.1.254.110 netmask 255.255.255.255

isakmp key ******** address 10.5.1.205 netmask 255.255.255.255

isakmp key ******** address 10.51.254.21 netmask 255.255.255.255

isakmp key ******** address 10.51.254.18 netmask 255.255.255.255

isakmp policy 18 authentication pre-share

isakmp policy 18 encryption des

isakmp policy 18 hash sha

isakmp policy 18 group 1

isakmp policy 18 lifetime 86400

telnet 172.16.0.0 255.255.0.0 inside

telnet 172.16.0.0 255.255.0.0 failover

telnet timeout 10

ssh timeout 5

terminal width 80

Cryptochecksum:c7d3741007174e40b59a5b4e3c86fea7

PIX520#

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX IPSec Configuration

The fact you have:

> sysopt connection permit-ipsec

in your config means that any IPSec packet is allowed in and bypasses all the normal security rules. You can remove this command, but then you'll need to add a bunch of lines to your acl_out ACL to make sure that ISAKMP (UDP 500) and IPSec (IP prot 50) are allowed in from each individual IPSec peer, plus add the inbound versions of all your crypto ACL's.

2 REPLIES
Cisco Employee

Re: PIX IPSec Configuration

The fact you have:

> sysopt connection permit-ipsec

in your config means that any IPSec packet is allowed in and bypasses all the normal security rules. You can remove this command, but then you'll need to add a bunch of lines to your acl_out ACL to make sure that ISAKMP (UDP 500) and IPSec (IP prot 50) are allowed in from each individual IPSec peer, plus add the inbound versions of all your crypto ACL's.

New Member

Re: PIX IPSec Configuration

Dear Sir,

We are very much thankful for your advice, also we request you to provide the information regarding inbound version details as you mentioned in your reply. What is the meaning of Inbound versions of all crypto ACL's. In our setup one end is Cisco PIX firewall and other end is 3662 router with IPSEC features enabled. In this scenario what else is reuqired at the 3662 router end.

Regards,

K.V. Babu

233
Views
0
Helpful
2
Replies