Thursday, April 20, 2006

 

Non-mirror IPSec ACLs. (Question #57)

Consider this variation on the problem posed in question #56 in the last post. Assume that the ACLs defined in the two routers are changed to be the following instead

Router1

access-list 101 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

Router2

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

Note that the two ACLs are not now perfect mirror images of each other.

Which of the following ping attempts (if any) will succeed?

1. ping 192.168.1.254 source 10.1.1.254 from Router1
2. ping 10.1.1.254 source 192.168.1.254 from Router2

Comments:
One probably simple question but not for me (for some reason I could not find it in google):
How to set up IOS to be able to connect with IPsec\L2TP tunnel from for example windows XP?
 
It recommended by Cisco to always use mirrored access lists.

However in this case the access-list that is a subset of the other will work

2. ping 10.1.1.254 source 192.168.1.254 from Router2

-------------------
To answer Marek's question...shouldn't he investigate vpdn?
 
Post a Comment

Links to this post:

Create a Link



<< Home

This page is powered by Blogger. Isn't yours?