Site to Site VPN ACL NAT question

sandpiper

I have a site to site vpn configured with 2 2621 routers. I have communication between the 2 private networks. The problem comes in when I apply the inbound ACL to the outside interface to block traffic. I am using PAT for user to access the internet, but I believe the inbound ACL is preventing the internet traffic to return through the interface (the internet traffic DOES NOT and shouldn't traverse the tunnel).

What should I use the allow the internet traffic to be allowed back into the network? Inspection policy, etc...?

Thanks, E

kalebksp

Use CBAC to allow return traffic. Personally I would prefer to set up zone based firewall, but 2621s are too old for that (assuming they're not XM).

sandpiper

They are 2621xm's. So either CBAC or Zone Based? Is CBAC easier?

kalebksp

It's arguable, but if your only requirement is to allow return traffic back in CBAC will be easier and simpler to configure. ZBF uses policy maps and class maps like QoS, as an overall firewall I think it is probably easier to manage if you have more complex rules and multiple internal interfaces (DMZ, etc), but it does take some time to get your head around how it works. For a basic configuration where inside hosts can access whatever they want and the internet side can only return traffic CBAC is fine.

Here's a basic CBAC config:

ip inspect name FIREWALL ftp
ip inspect name FIREWALL https
ip inspect name FIREWALL http
ip inspect name FIREWALL ssh
ip inspect name FIREWALL telnet
ip inspect name FIREWALL smtp
ip inspect name FIREWALL dns
ip inspect name FIREWALL ntp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL bootpc
ip inspect name FIREWALL udp
ip inspect name FIREWALL tcp

int fa0/0
 desc Internal Network
 ip inspect FIREWALL in

Links:
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4 - Configuring Context-based Access Control [Cisco IOS Software Releases 12.4 Mainline] - Cisco Systems
Two-Interface Router with NAT Cisco IOS Firewall Configuration - Cisco Systems