Section 5.0: IPSec/GRE Configuration

5.1. IPSec LAN-to-LAN Through the Firewall Using CA

  1. This is a tricky question. Overlapping networks on R1 and R5——need to be encrypted.

  2. IPSec access list cannot be configured for this. The solution is to create NAT on both ends and use the NATed address for IPSec ACL. See Example 4-26. On an ingress IPSec packet, NAT is performed first, followed by IPSec ACL.


    See the following URL for more information about the order of operation:

    NAT Order of Operation

  3. Static NAT on PIX is already configured for R1 as Use this on R5 for IPSec peering. Create ACL on PIX for ESP, UDP/500 (ISAKMP), and TCP/80 (for CA enrollment). See Example 4-27.

  4. Configure IPSec ...

Get CCIE Security Practice Labs now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.