Thursday, April 20, 2006
Non-mirror IPSec ACLs. (Question #57)
Consider this variation on the problem posed in question #56 in the last post. Assume that the ACLs defined in the two routers are changed to be the following instead
Router1
Router2
Note that the two ACLs are not now perfect mirror images of each other.
Which of the following ping attempts (if any) will succeed?
1. ping 192.168.1.254 source 10.1.1.254 from Router1
2. ping 10.1.1.254 source 192.168.1.254 from Router2
Router1
access-list 101 permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
Router2
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Note that the two ACLs are not now perfect mirror images of each other.
Which of the following ping attempts (if any) will succeed?
1. ping 192.168.1.254 source 10.1.1.254 from Router1
2. ping 10.1.1.254 source 192.168.1.254 from Router2
IPSec Access List. (Question #56)
Consider two routers connected via their serial interfaces and configured for IPSec with the following config
Router1
Router2
Will the following ping command issued on Router1 succeed?
Will the fact that UDP (which is used by IKE for key negotiation) is being denied by the ACL in the crypto map cause a problem?
Router1
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28000
crypto isakmp key cisco address 172.16.1.2
!
crypto ipsec transform-set myset ah-sha-hmac esp-des
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set myset
match address 101
!
interface Ethernet0
ip address 10.1.1.254 255.255.255.0
no keepalive
no clns route-cache
!
interface Serial2
ip address 172.16.1.1 255.255.0.0
no keepalive
serial restart-delay 0
no clns route-cache
crypto map mymap
!
access-list 101 permit icmp 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Router2
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 28000
crypto isakmp key cisco address 172.16.1.1
!
crypto ipsec transform-set myset ah-sha-hmac esp-des
!
crypto map mymap 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set myset
match address 101
!
interface Ethernet0
ip address 192.168.1.254 255.255.255.0
no keepalive
no clns route-cache
!
interface Serial2
ip address 172.16.1.2 255.255.0.0
no keepalive
serial restart-delay 0
no clns route-cache
crypto map mymap
!
access-list 101 permit icmp 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
Will the following ping command issued on Router1 succeed?
ping 192.168.1.254 source 10.1.1.254
Will the fact that UDP (which is used by IKE for key negotiation) is being denied by the ACL in the crypto map cause a problem?
