Section 5.0: IPSec/GRE Configuration

5.1. IPSec LAN-to-LAN Through the Firewall Using CA

  1. This is a tricky question. Overlapping networks on R1 and R5—10.1.1.0/24—need to be encrypted.

  2. IPSec access list cannot be configured for this. The solution is to create NAT on both ends and use the NATed address for IPSec ACL. See Example 4-26. On an ingress IPSec packet, NAT is performed first, followed by IPSec ACL.

    TIP

    See the following URL for more information about the order of operation:

    NAT Order of Operation

    www.cisco.com/warp/public/556/5.html

  3. Static NAT on PIX is already configured for R1 as 140.52.0.100. Use this on R5 for IPSec peering. Create ACL on PIX for ESP, UDP/500 (ISAKMP), and TCP/80 (for CA enrollment). See Example 4-27.

  4. Configure IPSec ...

Get CCIE Security Practice Labs now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.