Cisco router config affecting VPN?

Discussion in 'Cisco' started by kammy_boy186@hotmail.com, Dec 1, 2006.

  1. Guest

    Topology:

    LAN --- PIX 506E ---- Cisco 2501 ---- Internet

    We have the following lines in our router config

    access-list 100 deny ip 10.0.0.0 0.255.255.255 any
    access-list 100 deny ip 172.16.0.0 0.15.255.255 any
    access-list 100 deny ip 192.168.0.0 0.0.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 deny ip 224.0.0.0 31.255.255.255 any

    ACL 100 an in inbound list applied on the serial interface of our Cisco
    2501 router, i.e. for traffic coming from the ISP's network (internet).

    Behind the router we run a PIX 506 Firewall. At the moment, we are the
    main office of an organisation, but we'll soon be implenting a VPN with
    a branch office that runs the same setup. Their internal subnet is
    192.168.2.0/24, ours is 192.168.1.0/24. The VPN will be PIX-PIX.

    Will ACL 100 affect inbound traffic from the branch because it blocks
    192.168.0.0/16 traffic? Even though the VPN is configured via the
    PIX's, the traffic still has to traverse the router?

    Secondly, we also have the following rules on the router;

    access-list 102 permit tcp 213.62.0.0 0.0.128.255 host MAIL_GATEWAY eq
    domain
    access-list 102 permit tcp host A host MAIL_GATEWAY eq domain

    ACL 102 is an outbound list applied to the Ethernet interface of the
    router, i.e. traffic to our LAN.

    I am curious as to what these lines do? I take eq domain refers to DNS
    services, and the lines signify host A and the 213.62.0.0 0.0.128.255
    [fake IP's] range connecting to the Gateway on the DNS port, but is
    there any reason for this?

    Thanks.
     
    , Dec 1, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >Topology:
    >LAN --- PIX 506E ---- Cisco 2501 ---- Internet


    >We have the following lines in our router config
    >access-list 100 deny ip 10.0.0.0 0.255.255.255 any
    >access-list 100 deny ip 172.16.0.0 0.15.255.255 any
    >access-list 100 deny ip 192.168.0.0 0.0.255.255 any
    >access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    >access-list 100 deny ip 224.0.0.0 31.255.255.255 any


    >ACL 100 an in inbound list applied on the serial interface of our Cisco
    >2501 router, i.e. for traffic coming from the ISP's network (internet).


    >Behind the router we run a PIX 506 Firewall. At the moment, we are the
    >main office of an organisation, but we'll soon be implenting a VPN with
    >a branch office that runs the same setup. Their internal subnet is
    >192.168.2.0/24, ours is 192.168.1.0/24. The VPN will be PIX-PIX.


    >Will ACL 100 affect inbound traffic from the branch because it blocks
    >192.168.0.0/16 traffic?


    No.

    >Even though the VPN is configured via the
    >PIX's, the traffic still has to traverse the router?


    It traverses the router, it does so in encapsulated packets,
    the IP addresses of which are the source and destination security
    devices (i.e. the PIX 506E for one, and whatever the new
    device is on the other.)


    >Secondly, we also have the following rules on the router;


    >access-list 102 permit tcp 213.62.0.0 0.0.128.255 host MAIL_GATEWAY eq domain
    >access-list 102 permit tcp host A host MAIL_GATEWAY eq domain


    >ACL 102 is an outbound list applied to the Ethernet interface of the
    >router, i.e. traffic to our LAN.


    >I am curious as to what these lines do? I take eq domain refers to DNS
    >services, and the lines signify host A and the 213.62.0.0 0.0.128.255
    >[fake IP's] range connecting to the Gateway on the DNS port, but is
    >there any reason for this?


    Notice that it is TCP not UDP. Probably you have most TCP DNS blocked
    and those systems are to be allowed TCP DNS requests.


    TCP DNS requests are used:

    - as a fallback, if a response too bit for a single UDP response is
    detected (traditionally, further limited to 512 bytes of UDP payload);

    - straight away, for DNS Zone Transfers (which are almost certain not to
    fit in a single 512 byte UDP packet)

    - straight away, for extended DNS service (that did not exist when DNS
    was designed) such as dynamic registration of hosts

    In theory, a standard DNS client could jump directly to a TCP request,
    but for -most- sites, with basic security measures, there will not
    be any public DNS client access that requires more than 512 bytes of
    response, so it is quite common to block TCP DNS traffic except for
    hosts which you Zone Transfer with, or which are permitted to use
    DNS dynamic registration with your DNS server.
     
    Walter Roberson, Dec 4, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?S0c2R0ZR?=

    firewall/ICS service problems affecting wireless?

    =?Utf-8?B?S0c2R0ZR?=, Jan 25, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    1,841
  2. ccs
    Replies:
    0
    Views:
    506
  3. Richard Lefebvre

    Changes to QoS for VoIP is affecting NFS

    Richard Lefebvre, Jan 14, 2005, in forum: Cisco
    Replies:
    0
    Views:
    679
    Richard Lefebvre
    Jan 14, 2005
  4. Christine Geary

    SoBig Virus affecting Windows ME

    Christine Geary, Aug 24, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    676
  5. xavier
    Replies:
    7
    Views:
    708
    Paul Smith
    Oct 15, 2003
Loading...

Share This Page