All Cisco-Network Study Notes: Interaction of CBAC with IPsec

Interaction of CBAC with IPsec

Cisco IOS Firewall does not inspect IPsec (Internet Protocol Security) traffic that traverses it. You need to allow AHP, ESP and UDP/500 to allow from unprotected to protected network for the IPsec tunnel to be built up and process data across CBAC. Example 5-10 shows an ACL that allows all the ports/protocols needed to build up IPsec tunnel between 10.1.1.1 and 20.1.1.1 peers:

Example 5-10. Sample Output Of Configuration To Allow IPSEC

Router(config)#access-list 100 permit ahp host 10.1.1.1 host 20.1.1.1
Router(config)#access-list 100 permit esp host 10.1.1.1 host 20.1.1.1
Router(config)#access-list 100 permit udp host 10.1.1.1 host 20.1.1.1 eq isakmp

Although CBAC does not inspect IPsec going through it, it works well with IPsec end devices. So, if you configure CBAC on the peer routers, CBAC inspects the tunneled traffic before encryption and after decryption.