Solved: IPSec and firewall rules

vityash · ‎11-16-2007

I have such a config on my cisco851

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco address 9.1.1.35

!

crypto IPSec transform-set test esp-3des esp-sha-hmac

!

crypto map vpn 1 IPSec-isakmp

set peer 9.1.1.35

set transform-set test

match address 100

!

interface Serial0/0

ip address 9.x.x.146 255.255.255.252

ip access-group 110 in

crypto map vpn

!

interface Ethernet0/1

ip address 10.0.68.1 255.255.255.0

half-duplex

!

ip classless

ip route 0.0.0.0 0.0.0.0 9.1.1.145

!

access-list 100 permit ip 10.0.68.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 110 permit tcp any eq 500 any eq 500

!

What else access rule (110) do I need to add to let the IPSec through and block everything else

Jon Marshall · ‎11-16-2007

Hi

You will need to let ESP (Encapsulation Security Payload) through at the very minimum ie.

access-list 110 permit esp any any

HTH

Jon

View solution in original post

Jon Marshall · ‎11-16-2007

Hi

You will need to let ESP (Encapsulation Security Payload) through at the very minimum ie.

access-list 110 permit esp any any

HTH

Jon

lasnite01 · ‎11-17-2007

I believe that your protocol is incorrect it should be udp not tcp. It also seems as if you are missing the statement that applies your crypto map to an interface and you will need to enable ipsec on the outside interface. Lastly, you might need to implement the nat 0 statement depending upon your implementation. Hope this helps!