Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Search results for query: *
- Users: candersoncc
- Order by date
-
Cisco Router 3 Flavors of IPSEC
I have a Cisco 1811 with the Advanced IP Services image. I am running into a problem configuring different types of IPSEC simultaneously. It appears to be mostly limitations I am running into with dynamic peers. Ideally, I would like to have the following set up: 1. Static IPSEC tunnels for...- candersoncc
- Thread
- Replies: 0
- Forum: Cisco
-
IPSec Traffic Bypassing access lists?
For anyone else that might have a similar question in the future, I found a better way to do this. You can apply an access list to the crypto map entry as follows: crypto map <map_name> <map_priority> set ip access-group <acl_name> in- candersoncc
- Post #10
- Forum: Cisco
-
IPSec Traffic Bypassing access lists?
Sorry, I again misunderstood what you were saying (apparently haven't caught up on my sleep yet) That actually works out quite well for what I need. So I didn't have to duplicate everything in the outside interfaces incoming filter, I just did a deny of all the traffic from "interesting"...- candersoncc
- Post #9
- Forum: Cisco
-
IPSec Traffic Bypassing access lists?
That is a possibility, but I just don't normally like replying on other parties to maintain security for me... (It takes it out of my scope of control). I guess I could just put a PIX in there behind it to firewall the network. Thank you for your suggestions!- candersoncc
- Post #8
- Forum: Cisco
-
IPSec Traffic Bypassing access lists?
Actually, I may have initially misunderstood... this might work, but would only filter outbound (which is the opposite of what I want to do). This may work if I want to get REALLY restrictive, like only allow certain traffic between 2 hosts, but what I really need is to be able to restrict...- candersoncc
- Post #6
- Forum: Cisco
-
IPSec Traffic Bypassing access lists?
That is one of the things that I tried, and it didn't seem to do the trick. It appears that it is totally bypassing all ACLs on the interfaces.- candersoncc
- Post #5
- Forum: Cisco
-
IPSec Traffic Bypassing access lists?
AFAIK, you can only limit what traffic is outbound from your site (I only have control over 1 of the 2 routers involved). I need to be able to prevent incoming traffic.- candersoncc
- Post #3
- Forum: Cisco
-
IPSec Traffic Bypassing access lists?
I have mostly implemented IPSec tunnels on Cisco PIX firewalls in the past. After setting up a tunnel between a couple of Cisco IOS devices, I did some testing and found that IPSec traffic bypasses the access list on the outside interface. On the PIX, this is an option, so you can use "no...- candersoncc
- Thread
- Replies: 10
- Forum: Cisco
-
IPSec NAT Bypass with Static NAT
I was able to find a solution after scouring Cisco's website for awhile. For anyone interested, it goes something like this... I added an exclusion for the 2 IPs that are being static NATed to the access list that controls dynamic NAT (I probably should have done that anyway). I then added...- candersoncc
- Post #2
- Forum: Security, hacker detection & forensics
-
IPSec NAT Bypass with Static NAT
I was able to find a solution after scouring Cisco's website for awhile. For anyone interested, it goes something like this... I added an exclusion for the 2 IPs that are being static NATed to the access list that controls dynamic NAT (I probably should have done that anyway). I then added...- candersoncc
- Post #12
- Forum: Cisco
-
IPSec NAT Bypass with Static NAT
Site A Has a Cisco PIX with Dynamic NAT and a single external IP. Site B has a Cisco 1811 with 2 Static 1:1 NAT entries, and the rest of the internal hosts on a dynamic NAT sharing an IP. There is an IPSEC tunnel between the 2 sites which works, except when trying to access hosts that have...- candersoncc
- Thread
- Replies: 1
- Forum: Security, hacker detection & forensics
-
-
-
IPSec NAT Bypass with Static NAT
Any ideas on how this can be done while using static NAT?- candersoncc
- Post #8
- Forum: Cisco
-
Monitoring CISCO and Network Devices
I have tried JFFNMS (jffnms.org) and Nagios among others. I've found that JFFNMS allows for a LOT more data than Nagios. On the other hand, Nagios is better if all you want is a simple "Up/Down" or "Red/Green" Status.- candersoncc
- Post #4
- Forum: Cisco
-
IPSec NAT Bypass with Static NAT
I technically could... Except that I need outbound connections from those internal IPs to use their static NAT entries (one of them is a mail server, so it needs to present it's proper IP on outbound SMTP connections). There has got to be a way to bypass NAT for certain addresses with Static...- candersoncc
- Post #7
- Forum: Cisco
-
IPSec NAT Bypass with Static NAT
10.100.x.x/16 is the local (Site B) network, and 10.4.1.x/24 is the remote (Site A) network. The NAT pool is just a range of public IP addresses. access-list 175 deny ip 10.100.0.0 0.0.255.255 10.4.1.0 0.0.0.255 The above works for every host except the ones that have 1:1 NAT entries. The...- candersoncc
- Post #5
- Forum: Cisco
-
IPSec NAT Bypass with Static NAT
Sorry, I forgot to mention. Access list 175 already denies those ranges currently. I am using the same exclusion list for excluding the dynamic NAT as I am for the static ones (via the pool). For some reason it is still not bypassing NAT, however. I am certain I am overlooking something. I'd...- candersoncc
- Post #3
- Forum: Cisco
-
IPSec NAT Bypass with Static NAT
Site A Has a Cisco PIX with Dynamic NAT and a single external IP. Site B has a Cisco 1811 with 2 Static 1:1 NAT entries, and the rest of the internal hosts on a dynamic NAT sharing an IP. There is an IPSEC tunnel between the 2 sites which works, except when trying to access hosts that have...- candersoncc
- Thread
- Replies: 11
- Forum: Cisco
