Thursday, April 20, 2006

 

Non-mirror IPSec ACLs. (Question #57)

Consider this variation on the problem posed in question #56 in the last post. Assume that the ACLs defined in the two routers are changed to be the following instead

Router1

access-list 101 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255

Router2

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

Note that the two ACLs are not now perfect mirror images of each other.

Which of the following ping attempts (if any) will succeed?

1. ping 192.168.1.254 source 10.1.1.254 from Router1
2. ping 10.1.1.254 source 192.168.1.254 from Router2

 

IPSec Access List. (Question #56)

Consider two routers connected via their serial interfaces and configured for IPSec with the following config

Router1

crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28000
crypto isakmp key cisco address 172.16.1.2
!
crypto ipsec transform-set myset ah-sha-hmac esp-des
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set myset
match address 101
!
interface Ethernet0
ip address 10.1.1.254 255.255.255.0
no keepalive
no clns route-cache
!
interface Serial2
ip address 172.16.1.1 255.255.0.0
no keepalive
serial restart-delay 0
no clns route-cache
crypto map mymap
!
access-list 101 permit icmp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255


Router2

crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28000
crypto isakmp key cisco address 172.16.1.1
!
crypto ipsec transform-set myset ah-sha-hmac esp-des
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set myset
match address 101
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
no keepalive
no clns route-cache
!
interface Serial2
ip address 172.16.1.2 255.255.0.0
no keepalive
serial restart-delay 0
no clns route-cache
crypto map mymap
!
access-list 101 permit icmp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255


Will the following ping command issued on Router1 succeed?

ping 192.168.1.254 source 10.1.1.254

Will the fact that UDP (which is used by IKE for key negotiation) is being denied by the ACL in the crypto map cause a problem?

This page is powered by Blogger. Isn't yours?