Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
3
Helpful
4
Replies

Access-list and IPSec encryption and deceyption

r.fang
Level 1
Level 1

‎08-06-2004 01:14 PM - edited ‎02-21-2020 01:17 PM

If I have IP access-list and Ipsec Crypto map being applied to the same router interface, which process happen first? access-list or packet decryption &encryption ?

Thanks

Labels:
0 Helpful
4 Replies 4

krishnas
Level 1
Level 1

‎08-07-2004 10:34 PM

I think IP access-list is evaluated twice for ingress packets (access-list applied in in direction). It happens for encrypted packet and again for decrypted packet. This is the reason we should explicitly permit isakmp and esp and also traffic after decryption.

For egress traffic, I think outbound access-list is evaluated first followed by encryption.

Hope this helps.

0 Helpful

r.fang
Level 1
Level 1
In response to msdonahue

‎08-09-2004 10:24 AM

Thanks, This is the white paper I am looking for.

0 Helpful

krishnas
Level 1
Level 1
In response to msdonahue

‎08-09-2004 11:02 PM

I think the packet flow outlined in the above URL is for IOS. On PIX the packets destined to PIX interface don't go through ingress ACL check. In essence, the IPSec packets terminating on the PIX interface don't go through inbound ACL applied on that interface. But after decryption it would go through the ACL if sysopt for ipsec is not configured.

0 Helpful
Customers Also Viewed These Support Documents