Site to Site VPN ACL NAT question
sandpiper
Member Posts: 17 ■□□□□□□□□□
I have a site to site vpn configured with 2 2621 routers. I have communication between the 2 private networks. The problem comes in when I apply the inbound ACL to the outside interface to block traffic. I am using PAT for user to access the internet, but I believe the inbound ACL is preventing the internet traffic to return through the interface (the internet traffic DOES NOT and shouldn't traverse the tunnel).
What should I use the allow the internet traffic to be allowed back into the network? Inspection policy, etc...?
Thanks, E
What should I use the allow the internet traffic to be allowed back into the network? Inspection policy, etc...?
Thanks, E
Comments
-
kalebksp
Member Posts: 1,033 ■■■■■□□□□□
Use CBAC to allow return traffic. Personally I would prefer to set up zone based firewall, but 2621s are too old for that (assuming they're not XM). -
sandpiper
Member Posts: 17 ■□□□□□□□□□
They are 2621xm's. So either CBAC or Zone Based? Is CBAC easier?
-
kalebksp
Member Posts: 1,033 ■■■■■□□□□□
It's arguable, but if your only requirement is to allow return traffic back in CBAC will be easier and simpler to configure. ZBF uses policy maps and class maps like QoS, as an overall firewall I think it is probably easier to manage if you have more complex rules and multiple internal interfaces (DMZ, etc), but it does take some time to get your head around how it works. For a basic configuration where inside hosts can access whatever they want and the internet side can only return traffic CBAC is fine.
Here's a basic CBAC config:ip inspect name FIREWALL ftp ip inspect name FIREWALL https ip inspect name FIREWALL http ip inspect name FIREWALL ssh ip inspect name FIREWALL telnet ip inspect name FIREWALL smtp ip inspect name FIREWALL dns ip inspect name FIREWALL ntp ip inspect name FIREWALL icmp ip inspect name FIREWALL bootpc ip inspect name FIREWALL udp ip inspect name FIREWALL tcp int fa0/0 desc Internal Network ip inspect FIREWALL in
Links:
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4 - Configuring Context-based Access Control [Cisco IOS Software Releases 12.4 Mainline] - Cisco Systems
Two-Interface Router with NAT Cisco IOS Firewall Configuration - Cisco Systems