Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec and firewall rules

I have such a config on my cisco851

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco address 9.1.1.35

!

!

crypto IPSec transform-set test esp-3des esp-sha-hmac

!

crypto map vpn 1 IPSec-isakmp

set peer 9.1.1.35

set transform-set test

match address 100

!

!

!

interface Serial0/0

ip address 9.x.x.146 255.255.255.252

ip access-group 110 in

crypto map vpn

!

interface Ethernet0/1

ip address 10.0.68.1 255.255.255.0

half-duplex

!

ip classless

ip route 0.0.0.0 0.0.0.0 9.1.1.145

!

!

access-list 100 permit ip 10.0.68.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 110 permit tcp any eq 500 any eq 500

!

What else access rule (110) do I need to add to let the IPSec through and block everything else

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: IPSec and firewall rules

Hi

You will need to let ESP (Encapsulation Security Payload) through at the very minimum ie.

access-list 110 permit esp any any

HTH

Jon

2 REPLIES
Hall of Fame Super Blue

Re: IPSec and firewall rules

Hi

You will need to let ESP (Encapsulation Security Payload) through at the very minimum ie.

access-list 110 permit esp any any

HTH

Jon

New Member

Re: IPSec and firewall rules

I believe that your protocol is incorrect it should be udp not tcp. It also seems as if you are missing the statement that applies your crypto map to an interface and you will need to enable ipsec on the outside interface. Lastly, you might need to implement the nat 0 statement depending upon your implementation. Hope this helps!

357
Views
0
Helpful
2
Replies
CreatePlease to create content