Running an ipsec tunnel through an IOS access-list

Discussion in 'Cisco' started by Trent Collicutt, Nov 30, 2004.

  1. Hi,

    I'm relatively new to IPSec. While I work this out for myself, I
    thought I would post to see how other people have done this.

    I have a remote site, where I want to restrict traffic with an IOS
    access lists. However, I have recently been informed that I require a
    Checkpoint Secureremote VPN session to be allowed to a Checkpoint NG
    firewall.

    My question is, do I have to set up special rules, or will it be
    simply a rule allowing IP traffic between the IP of that workstation
    and the firewalls IP? I would prefer to only allow IPSec traffic, if
    possible.

    I'm sure it is not overly difficult, but I'd find it interesting to
    see how others would do it and see how closely it might match my final
    solution.
    Trent Collicutt, Nov 30, 2004
    #1
    1. Advertising

  2. Trent Collicutt

    Ivan Ostreš Guest

    In article <>,
    says...
    > Hi,
    >
    > I'm relatively new to IPSec. While I work this out for myself, I
    > thought I would post to see how other people have done this.
    >
    > I have a remote site, where I want to restrict traffic with an IOS
    > access lists. However, I have recently been informed that I require a
    > Checkpoint Secureremote VPN session to be allowed to a Checkpoint NG
    > firewall.
    >
    > My question is, do I have to set up special rules, or will it be
    > simply a rule allowing IP traffic between the IP of that workstation
    > and the firewalls IP? I would prefer to only allow IPSec traffic, if
    > possible.
    >
    > I'm sure it is not overly difficult, but I'd find it interesting to
    > see how others would do it and see how closely it might match my final
    > solution.
    >


    First, as far as I remember, Chkpoint firewall can provide VPN using
    IPSec and some proprietary protocol (I don't remember how is it called),
    so that's the first thing you have to be sure about.

    You should be able to allow just needed ports/protocols needed for VPN
    usage with no problem.

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
    Ivan Ostreš, Nov 30, 2004
    #2
    1. Advertising

  3. Trent Collicutt

    Scooby Guest

    "Ivan Ostres" <> wrote in message
    news:...
    > In article <>,
    > says...
    > > Hi,
    > >
    > > I'm relatively new to IPSec. While I work this out for myself, I
    > > thought I would post to see how other people have done this.
    > >
    > > I have a remote site, where I want to restrict traffic with an IOS
    > > access lists. However, I have recently been informed that I require a
    > > Checkpoint Secureremote VPN session to be allowed to a Checkpoint NG
    > > firewall.
    > >
    > > My question is, do I have to set up special rules, or will it be
    > > simply a rule allowing IP traffic between the IP of that workstation
    > > and the firewalls IP? I would prefer to only allow IPSec traffic, if
    > > possible.
    > >
    > > I'm sure it is not overly difficult, but I'd find it interesting to
    > > see how others would do it and see how closely it might match my final
    > > solution.
    > >

    >
    > First, as far as I remember, Chkpoint firewall can provide VPN using
    > IPSec and some proprietary protocol (I don't remember how is it called),
    > so that's the first thing you have to be sure about.
    >
    > You should be able to allow just needed ports/protocols needed for VPN
    > usage with no problem.
    >
    > --
    > -Ivan.
    >
    > *** Use Rot13 to see my eMail address ***


    It does depend a little bit on the implementation of ipsec. But, here is an
    example of what I use for Cisco dmvpn:

    permit gre host <ip> host <ip>
    permit udp host <ip> host <ip> eq isakmp
    permit eqp host <ip> host <ip>

    Also, I've never taken any hits on this, but a line I've seen before is
    this:

    permit udp any host <ip> eq non500-isakmp

    Hope that helps,

    Jim
    Scooby, Nov 30, 2004
    #3
  4. Trent Collicutt

    Guest

    Scooby wrote:
    > "Ivan Ostres" <> wrote in message
    > news:...
    > > In article <>,
    > > says...
    > > > Hi,
    > > >
    > > > I'm relatively new to IPSec. While I work this out for myself, I
    > > > thought I would post to see how other people have done this.
    > > >
    > > > I have a remote site, where I want to restrict traffic with an

    IOS
    > > > access lists. However, I have recently been informed that I

    require a
    > > > Checkpoint Secureremote VPN session to be allowed to a Checkpoint

    NG
    > > > firewall.
    > > >
    > > > My question is, do I have to set up special rules, or will it be
    > > > simply a rule allowing IP traffic between the IP of that

    workstation
    > > > and the firewalls IP? I would prefer to only allow IPSec

    traffic, if
    > > > possible.
    > > >
    > > > I'm sure it is not overly difficult, but I'd find it interesting

    to
    > > > see how others would do it and see how closely it might match my

    final
    > > > solution.
    > > >

    > >
    > > First, as far as I remember, Chkpoint firewall can provide VPN

    using
    > > IPSec and some proprietary protocol (I don't remember how is it

    called),
    > > so that's the first thing you have to be sure about.
    > >
    > > You should be able to allow just needed ports/protocols needed for

    VPN
    > > usage with no problem.
    > >
    > > --
    > > -Ivan.
    > >
    > > *** Use Rot13 to see my eMail address ***

    >
    > It does depend a little bit on the implementation of ipsec. But,

    here is an
    > example of what I use for Cisco dmvpn:
    >
    > permit gre host <ip> host <ip>
    > permit udp host <ip> host <ip> eq isakmp
    > permit eqp host <ip> host <ip>
    >
    > Also, I've never taken any hits on this, but a line I've seen before

    is
    > this:
    >
    > permit udp any host <ip> eq non500-isakmp
    >
    > Hope that helps,
    >
    > Jim


    I haven't seen the last line before. I have seen the first three.

    I have seen posts where specific ports are also required for an older
    version on Checkpoint, but our admin doesn't know what is required for
    the new one.

    I'll give this a try. Maybe I'll break out a copy of Ethereal and see
    what's what.
    , Dec 2, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,045
    Claude LeFort
    Nov 11, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,076
  3. AM
    Replies:
    7
    Views:
    4,391
    kh_alex81
    Jul 19, 2007
  4. Tom Pouce
    Replies:
    1
    Views:
    1,127
  5. Replies:
    0
    Views:
    447
Loading...

Share This Page