IPSec Traffic Bypassing access lists? 1

[candersoncc]

I have mostly implemented IPSec tunnels on Cisco PIX firewalls in the past. After setting up a tunnel between a couple of Cisco IOS devices, I did some testing and found that IPSec traffic bypasses the access list on the outside interface.

On the PIX, this is an option, so you can use "no sysopt connection permit-ipsec" to force traffic to be run against the ACL. Is there something similar on IOS, or is there no way to run IPSec traffic through an access list after it is decrypted?

 

[Alterac]

Technically wouldnt it be better to limit the traffic over the tunnel via the interesting traffic, instead of filtering it once it has already traversed it?

----------------------------------
Bill

 

[candersoncc]

AFAIK, you can only limit what traffic is outbound from your site (I only have control over 1 of the 2 routers involved).

I need to be able to prevent incoming traffic.

 

[Alterac]

Depending on the router, if its just a dual ethernet interface this isnt that hard. Apply the ACL on the internal interface as an OUT acl.


----------------------------------
Bill

 

[candersoncc]

That is one of the things that I tried, and it didn't seem to do the trick. It appears that it is totally bypassing all ACLs on the interfaces.

 

[candersoncc]

Actually, I may have initially misunderstood... this might work, but would only filter outbound (which is the opposite of what I want to do). This may work if I want to get REALLY restrictive, like only allow certain traffic between 2 hosts, but what I really need is to be able to restrict inbound traffic, with unrestricted outbound.

 

[Alterac]

In this setup:
FE0 - VPN - Outside Internet
FE1 - Inside
ip access-group 102 out

The ACL should work, I can see it might not working on FE0, but definatly should work on FE1.

Can you just ask the other side to only allow what you want through their interesting traffic?

----------------------------------
Bill

 

[candersoncc]

That is a possibility, but I just don't normally like replying on other parties to maintain security for me... (It takes it out of my scope of control).

I guess I could just put a PIX in there behind it to firewall the network. Thank you for your suggestions!

 

[candersoncc]

Sorry, I again misunderstood what you were saying (apparently haven't caught up on my sleep yet)

That actually works out quite well for what I need. So I didn't have to duplicate everything in the outside interfaces incoming filter, I just did a deny of all the traffic from "interesting" networks at the end, instead of a deny ip any any.

Thanks for your help!

 

[candersoncc]

For anyone else that might have a similar question in the future, I found a better way to do this.

You can apply an access list to the crypto map entry as follows:

crypto map <map_name> <map_priority>
set ip access-group <acl_name> in

 

[burtsbees]

Thanks---very helpful. I need to do something like this.

Burt