Existing ACLs on perimeter routers, PIX Security Appliances, or other
routers need to be checked to ensure that they do not block IPSec traffic.
Perimeter routers typically implement a restrictive security policy with ACLs,
where only specific traffic is permitted and all other traffic is denied. Such
a restrictive policy blocks IPSec traffic, so specific permit statements need
to be added to the ACL to allow IPSec traffic.
Ensure that the ACLs are
configured so that ISAKMP, Encapsulating Security Payload (ESP), and AH traffic
is not blocked at interfaces used by IPSec. ISAKMP uses UDP port 500. ESP is
assigned IP protocol number 50, and AH is assigned IP protocol number 51. In
some cases, a statement may need to be added to router ACLs to explicitly
permit this traffic. ACL statements may need to be added to the perimeter
router by performing the following steps:
Step 1 Examine
the current ACL configuration at the perimeter router and determine if it will
block IPSec traffic:
RouterA#show access-lists
Step 2 Add ACL entries to permit IPSec traffic. To do this,
modify the existing ACL as follows:
- Copy the existing ACL configuration and paste it into a text editor.
- Add the ACL entries to the top of the list in the text editor.
- Delete the existing ACL with the no access-list access-list
number command.
- Enter configuration mode and copy and paste the new ACL into the
router.
- Verify that the ACL is correct with the show
access-lists command.
 |
NOTE:
The protocol keyword of esp equals the ESP
protocol number 50, the keyword of ahp equals the AH
protocol number 51, and the isakmp keyword equals UDP port
500.
|