Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15764
Views
11
Helpful
6
Replies

Does permit ip any any also include GRE and ESP traffic?

Go to solution
gautamzone
Level 1
Level 1

‎12-23-2009 07:40 AM - edited ‎03-12-2019 05:59 PM

Dear friends,

When i say on the ASA, access-list xyz extended permit ip any any, does it also include GRE and ESP traffic                   

Thanks a lot

Gautam

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-23-2009 08:09 AM 

gautamzone wrote:
Dear friends,
When i say on the ASA, access-list xyz extended permit ip any any, does it also include GRE and ESP traffic                    
Thanks a lot
Gautam

Gautam

No it doesn't. IP includes TCP/UDP/ICMP but GRE and ESP have their own protocol numbers at the IP layer.

Jon

View solution in original post

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎12-23-2009 08:26 AM

GRE is ip protocol 47 and ESP is ip protocol 50 so, you acl should be

access-list blah permit 47 any any

access-l blah permit 50 any any

access-list blah permit ip any any

-KS

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-23-2009 08:09 AM 

gautamzone wrote:
Dear friends,
When i say on the ASA, access-list xyz extended permit ip any any, does it also include GRE and ESP traffic                    
Thanks a lot
Gautam

Gautam

No it doesn't. IP includes TCP/UDP/ICMP but GRE and ESP have their own protocol numbers at the IP layer.

Jon

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎12-23-2009 08:26 AM

GRE is ip protocol 47 and ESP is ip protocol 50 so, you acl should be

access-list blah permit 47 any any

access-l blah permit 50 any any

access-list blah permit ip any any

-KS

0 Helpful

Go to solution
gautamzone
Level 1
Level 1
In response to Kureli Sankar

‎12-23-2009 09:09 AM

Thanks a lot Jon and kushankar for the help.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to gautamzone

‎12-20-2017 08:58 AM

I just became aware of this old thread and I find it troubling. Especially this statement

No it doesn't. IP includes TCP/UDP/ICMP but GRE and ESP have their own protocol numbers at the IP layer.

 

If TCP has its own protocol number (which is 6)

and if UDP has its own protocol number (which is 17)

and if ICMP has its own protocol number (which is 1)

then why does GRE (protocol number 47) and ESP (protocol number 50) get treated differently?

 

All of those packet types are IP and an access list which has permit ip any any would include all of those protocols. The original responses in this thread were not correct and we need to straighten them out.

 

HTH

 

Rick

HTH

Rick

Go to solution
BaljeetSingh36419
Level 1
Level 1
In response to Richard Burts

‎12-12-2019 01:35 PM

Good that I scrolled till end .. as got confused with accepted solution . Or maybe difference between theory and practical implementation
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to BaljeetSingh36419

‎12-13-2019 07:10 AM

I can understand that you would be confused about some aspects of the accepted solutions. I am glad that now you have a better understanding of the issue.  This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card