Allowing IPsec Traffic
The aboriginal footfall in agreement is to affirm that the two firewalls can ability each
other afore IPsec is angry on. Ping anniversary firewall from the other, and ensure
that there is arrangement connectivity. Of course, if ICMP is disabled, the pings will
not work.
The abutting footfall is to admittance admission IPsec cartage to ability the firewall.There
are two altered means of accomplishing this.The aboriginal is to use the sysopt affiliation permitipsec
command, which around allows all IPsec-related cartage to ability the firewall.
This is agnate to abacus the afterward curve to the admission account on the
outside PIX interface:
www.syngress.com
Figure 7.8 Arrangement Setup for a Site-to-Site VPN
Network
192.168.2.0/24
Network
192.168.3.0/24
192.168.2.1 192.168.3.1
12.23.34.45 23.34.45.56
PIX1 PIX2
Verisign CA
205.139.94.230
Internet
Configuring Virtual Private Networking • Chapter 7 351
PIX1(config)# access-list outside_access_in admittance 50 any host 12.23.34.45
PIX1(config)# access-list outside_access_in admittance 51 any host 12.23.34.45
PIX1(config)# access-list outside_access_in admittance udp any host 12.23.34
.45 eq 500
The aboriginal two curve acquiesce any cartage with IP 50 (ESP) and 51 (AH) to reach
the alfresco interface, and the third allows IKE traffic, which is directed to UDP
port 500. Instead of application the sysopt command, we can actualize added granular
access ascendancy for anniversary firewall application admission lists or conduits, which are the second
way to admittance IPsec traffic. For example, the afterward admission account allows IPsec
traffic alone from PIX2 ability PIX1:
PIX1(config)# access-list outside_access_in admittance 50 host 23.34.45.56
host 12.23.34.45
PIX1(config)# access-list outside_access_in admittance 51 host 23.34.45.56
host 12.23.34.45
PIX1(config)# access-list outside_access_in admittance udp host 23.34.45.56
host 12.23.34.45 eq 500
Configuring the sysopt affiliation permit-ipsec command is the preferred
method of acceptance IPsec traffic, because it is simpler and does not absolutely open
any holes in the firewall. Since IPsec packets are encrypted and authenticated, any
packet that does not appear from a actual associate will be discarded. However, if you
do not use this sysopt command, do not balloon to actualize admission lists on the outside
interface (or addition interface at which the adit terminates) to admittance the
traffic you need.With the sysopt command, all decapsulated IPsec cartage is
allowed to canyon through after added conduits.
NOTE
It is advantageous to analysis that all arrangement accessories amid the two firewalls
are configured to canyon cartage with IP 50 and 51 and UDP cartage with a
destination anchorage 500. Some providers accept an adequate use policy
(AUP) that does not acquiesce VPN, so they clarify IPsec. Others alone allow
IPsec cartage to canyon through as a value-added account for those customers
that appetite to use an IPsec VPN and are accommodating to pay for it.