10-07-2002 12:54 PM - edited 03-02-2019 01:53 AM
I have a router to router VPN and i am using IPSEC and tunneling from one network to the other. When sending data from one network to the other which happens first, the processing of encapsulation/de-encapsulation or the access list processing?
Thanks
10-07-2002 01:17 PM
When sending packets - access-list processing is done first, then encryption. The acls decide whether the packet is allowed in the interface, whether the packet should be encrypted to begin with, and an acl checks whether the packet is allowed out the interface. Then the packet is encrypted (last thing done).
When receiving - the first thing done is check the decryption acl.
See link: http://www.cisco.com/warp/public/556/5.html
Hope it helps.
Steve
10-08-2002 05:42 AM
Thanks for the reply.
So if i am creating an encrypted tunnel between 2 locations and want to block/control traffic coming into one of the networks, will i use the public or private address's in the acls to filter traffic?
thanks
Tony
10-08-2002 06:09 AM
.
10-08-2002 06:11 AM
Old account above:)
Your acl applied inbound will look something like this:
access-list 118 permit esp host x.x.x.x host y.y.y.y (where x.x.x.x is your remote ipsec peer and y.y.y.y is your local peer)
access-list 118 permit udp host x.x.x.x host y.y.y.y eq isakmp
So your filter will be based on the ipsec peer IP. Your crypto acls (which allows what will get encrypted) must match in reverse at each end of the tunnel and will be based on your private IPs.
Steve
10-08-2002 06:14 AM
Thanks alot!!
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide