O'Reilly logo

CCIE Security Practice Labs by Fahim Hussain Yusuf Bhaiji

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Section 5.0: IPSec/GRE Configuration

5.1. IPSec LAN-to-LAN Through the Firewall Using CA

  1. This is a tricky question. Overlapping networks on R1 and R5—10.1.1.0/24—need to be encrypted.

  2. IPSec access list cannot be configured for this. The solution is to create NAT on both ends and use the NATed address for IPSec ACL. See Example 4-26. On an ingress IPSec packet, NAT is performed first, followed by IPSec ACL.

    TIP

    See the following URL for more information about the order of operation:

    NAT Order of Operation

    www.cisco.com/warp/public/556/5.html

  3. Static NAT on PIX is already configured for R1 as 140.52.0.100. Use this on R5 for IPSec peering. Create ACL on PIX for ESP, UDP/500 (ISAKMP), and TCP/80 (for CA enrollment). See Example 4-27.

  4. Configure IPSec ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required